How to remove RobinHood virus and restore encrypted files

Today we are talking about a rather unusual virus, which, despite all the attributes of ransomware, is very different from other similar programs. So, the RobinHood virus uses standard methods of penetration, such as e-mail spam, Trojan viruses and so on. After entering the computer, this virus encrypts all data and displays a note with requirements. Here is the full text of this note, and it is the point, where the interesting things begin:


Bin Salman of Saudi Arabia is Killing poor and innocent people of Yemen by bombing , creating famine and disease!
You as a Saudian or a Supporter of their activities, are partner of his homicide. So you have been subjected to a ransomware attack and must accept one of the following:
a) Giving up all your information
b) Pay five Bitcoins to help Yemeni people.
bitcoin address = 1ENn1BelaKXBotiGuAFE1Yrin3e3vBjUAQH
and send transaction link to: This email address is being protected from spambots. You need JavaScript enabled to view it.
c) Use Tweeter to condemn Bin Selman for his crimes and ask him to stop the war against Yemen and make 100 users to retweet.


As you can see, the repurchase amount is simply huge, and is about $13,000, which means that the average user is unlikely to pay so much even if his entire computer is stolen. In addition, scammers are clearly trying to present their actions as a charity, calling the virus in honor of the mythical hero defending the poor, and addressing the note to the citizens of Saudi Arabia and the "Supporters of their activities". Here we see an explicit reference to the actions of Mohammad bin Salman bin Abdulaziz Al Saud, the crown prince of Saudi Arabia, who initiated the armed conflicts in Yemen. Fortunately, charity in the modern world is carried out by other methods. Any indifferent member of society can create a fund in support of Yemen, providing relevant reports on the collected and spent funds, and without hacking computers of peoples who are completely uninvolved in the conflict. We tend to believe that the RobinHood virus has nothing to do with Yemen, and if you decide to pay 5 BTC for decryption - you are unlikely to get your data back and money is unlikely to go to the aid of the suffering.

Another interesting detail - scammers provide users with the appearance of choice. As you can see from the note, for deciphering you can blame the Prince of Saudi Arabia for war crimes, and if the tweet dials a hundred retweets - the data will be deciphered. Unfortunately, we are not yet able to confirm this information, but most likely, this method will not work.

How to delete RobinHood Virus

File recovery is the first task, which you worry about, when your PC is infected by RobinHood. Still, the virus should be deleted in order to shield new files. Regardless of which recovery way you will use, you still have to eliminate ransomware. The instant uninstall is needful if you prefer the manual decryption, or you are going to load the backups, and if you decide to pay the ransom - the virus should be removed after the complete file decryption. The removal can be performed with help of special antivirus program, or manually. Security and swiftness of both methods are the same, but the requirements for user experience and skill are extremely different. You have to be an experienced PC operator to perform the manual deletion with no errors. You must know what to do and how to prevent any error. Disposal via special tool doesn't need any experience of the user. You just should load the program, install it and run the scanning process. Under this paragraph, you'll find the detailed set of advices for removing of RobinHood. We accurately describe each part of removal process, to prevent any failures. But, if you don't like the manual deletion, and prefer the highest level of protection against any malware - you should try the reputable anti-viral tool. Download Spyhunter to remove RobinHood virus automatically


Special Offer

Download Spyhunter - Anti-malware scanner

We advise downloading SpyHunter to see, if it can detect malware for you.

Spyhunter has a biggest malware database

It protects the system against all kinds of threats: Trojans, adware and hijackers

24/7 Free Support Team

SpyHunter scanner detects threats and malware for free, but to remove infected elements you need to purchase a full version of program for 39.99$. More information about Spyhunter, EULA and Privacy policy.

Removal instruction




Step 1. Boot the system into safe mode

  • Press Start
  • Type Msconfig and press Enter

Safe mode. Step 1


  • Select Boot tab

Safe mode. Step 2



  • Select Safe boot and press Ok

More information about Safe mode: What is Safe Mode and how to boot computer in Safe Mode


Step 2. Show all hidden files and folders

  • Press Start
  • Click on Control Panel

Show hidden files. Step 1


  • Select Appearance and Personalization

Show hidden files. Step 2


  • Click on Folder Options
  • Select View tab
  • Select Show hidden files, folders and drives

Show hidden files. Step 3


  • Press Ok


Step 3. Remove virus files


Check next folders to find suspicious files:

  • %TEMP%
  • %ProgramData%


Step 4. Fix hosts file

  • Go to %SystemRoot%\System32\drivers\etc\ folder



  • Open hosts file using Notepad or other text editor
  • Delete suspicious elements
  • Basic hosts file looks like this:



Step 5. Clean registry (for experienced users)

  • Click Start
  • Type Regedit.exe and press Enter
  • Clean startup registry keys
  • HKEY_LOCAL_MACHINE(HKEY_CURRENT_USER)\Software\Microsoft\Windows\CurrentVersion\Run
  • HKEY_LOCAL_MACHINE(HKEY_CURRENT_USER)\Software\Microsoft\Windows\CurrentVersion\RunOnce
  • HKEY_LOCAL_MACHINE(HKEY_CURRENT_USER)\Software\Microsoft\Windows\CurrentVersion\RunServices
  • HKEY_LOCAL_MACHINE(HKEY_CURRENT_USER)\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit

Step 6. Scan computer with antivirus


Step 7. Disable Safe Mode and restart computer

  • Press Start
  • Type Msconfig and press Enter
  • Select Boot tab
  • Remove the check near Safe boot

How to restore files encrypted by RobinHood

In this guide we have already mentioned that the user whose machine is captured with encrypting virus has only one entirely reliable way to restore files: to upload the backups. You should try these ways if there's no another choice, but be ready that they may fail. The main advantage of backup copies is that they are kept on the separate media, and are not available for viral impact.

  • Click Start
  • Click Control Panel

Decrypt files. Step 1


  • Click System and Security

Decrypt files. Step 2


  • Select Backup and Restore

Decrypt files. Step 3


  • Select Restore files from backup
  • Select checkpoint to restore


Other manners depend on the OS in-built services, and their efficiency may be minimized by the virus itself and the lack of skill. We can suggest you two more decryption techniques. You can use the shadow copy service, or a special program to restore the data. Decryption using the special decryptor is very efficient, but unfortunately, such a tool doesn't yet exist. News about the advancement in the creation of the program might be seen on EmsiSoft, MalwareHunterTeam and Kaspersky lab official web-pages. By-hand restore using Shadow Volume Copies might be made immediately. You can use the built-in Windows functionality, however, there are other programs that will make this task simpler. These tools are called Recuva and ShadowExplorer. Both of them are free, you might find them from the official websites, with detailed guide for their use.




Share your feedback to help other people
1 1 1 1 1 1 1 1 1 1 Rating 5.00 [1 Vote]

Add comment

Security code



Acronis suggestion to CrashPlans users

Around a month ago, there was an accident with CrashPlans backup software.

What is MicTrayDebugger and is it dangerous

This is a brief entry about MicTrayDebugger: what is it, how it appeared in the system, is it dangerous and how to get rid of it.

What is HoeflerText and is it dangerous?


This article is dedicated to the fraud scheme that is called HoeflerText font wasn't found. We will explain you what is this scheme and how to avoid it.

What is Wpad.dat virus and how it is used

The topic of our today's article is a script that had been unjustly called a virus. It’s Wpad.dat, and it is not a virus. We will explain what is Wpad.dat and how to prevent fraudsters to deceive yourself with its help.


Cancer virus trollware

This is an article about crazy Cancer virus and the madness that it brings to victim's computer.

This website uses cookies to improve your experience