[Heads-up] New Ransomware Strain Hijacks A Vulnerable Windows Driver To Turn Off Your Antivirus And Infect The Network

robbinhood-graphicSecurity company Sophos warns of a new ransomware strain that uses a vulnerable driver in an attempt to break into a Windows system and then disable the running security software.

The attack is based on a security flaw found in 2018 in Taiwan-based motherboard manufacturer Gigabyte driver and detailed in CVE-2018-19320. The driver, which has already been abandoned after Gigabyte acknowledged the bug, allows malicious actors to exploit the vulnerability in an attempt to get access to a device and deploy a second driver whose purpose would be to kill off antivirus products.

“This second driver then goes to great lengths to kill processes and files belonging to endpoint security products, bypassing tamper protection, to enable the ransomware to attack without interference,” Sophos explains.

“This is the first time we have observed ransomware shipping a Microsoft co-signed (yet vulnerable) third party driver to patch the Windows kernel in-memory, load their own unsigned malicious driver, and take out security applications from kernel space.”

Malicious driver

The used ransomware is called RobbinHood and requires victims to pay to unlock their files. If they don’t pay, the ransom note reads, the price increases by $10,000 every day.

The executable file used to exploit the Gigabyte gdrv.sys driver is called Steel.exe, and it extracts a file named ROBNR.EXE in the Windows temp folder, which in its turn extracts two different drivers, one developed by Gigabyte (the vulnerable one) and another one used for disabling the antivirus software on the compromised device. One the vulnerability is exploited, the Windows driver signature enforcement is disabled, allowing for the malicious driver to be launched.

Sophos says that nothing but the common practices to remain secure in ransomware attacks help you block the exploit, as even fully-patched computers with no known vulnerabilities can eventually be compromised.

Source: Softpedia

Ransomware Has Gone Nuclear, How Can You Avoid Becoming The Next Victim?

There is a reason more than half of today’s ransomware victims end up paying the ransom. Cybercriminals have become thoughtful; taking time to maximize your organization’s potential damage and their payoff.

After achieving root access, the bad guys explore your network reading email, finding data troves and once they know you, they craft a plan to cause the most panic, pain, and operational disruption. Ransomware has gone nuclear.

GoneNuclear-WEBINARJoin us for this webinar where, Roger Grimes, KnowBe4’s Data-Driven Defense Evangelist, dives into:

  • Why data backups (even offline backups) won’t save you
  • Evolved threats from data-theft, credential leaks, and corporate impersonation
  • Why ransomware isn’t your real problem
  • How your end users can become your best, last line of defense

Watch Now

PS: Don't like to click on redirected buttons? Cut & Paste this link in your browser:


Topics: Ransomware

Subscribe To Our Blog

Ransomware Hostage Rescue Manual

Get the latest about social engineering

Subscribe to CyberheistNews