Experts from the British company Sophos talked about an interesting tactic that RobbinHood ransomware operators use. To disable security solutions, RobbinHood installs vulnerable Gigabyte drivers on target machines.
According to experts, such attacks work against Windows 7, Windows 8 and Windows 10.
The criminals have used the Gigabyte driver as a wedge so they could load a second, unsigned driver into Windows. This second driver then goes to great lengths to kill processes and files belonging to endpoint security products, bypassing tamper protection, to enable the ransomware to attack without interference”, — report Sophos specialists.
In their report, researchers generally describe ransomware tactics as following:
- Hackers infiltrate the network of the victims’ company;
- Install the legitimate Gigabyte GDRV.SYS kernel driver;
- Exploit vulnerabilities in this driver to gain access to the kernel;
- Access to the kernel is used to temporarily disable forced use of driver signatures in Windows;
- Install the malicious RBNL.SYS kernel driver, which is used to disable or stop anti-virus and other protective products running on the infected host;
RobbinHood ransomware launches and encrypts the victim’s files.
Researchers explain its Gigabyte and Verisign failure that such tactics usually works and bears fruits. The fact is that, having learned about the bug, the Gigabyte developers refused to acknowledge the problem and stated that their products are not vulnerable.
The vulnerability, published along with proof-of-concept code in 2018 and widely reported at the time, was disclaimed by the company, who told the researcher who tried to report the bug that “its products are not affected by the reported vulnerabilities”. The company later recanted, and has discontinued using the vulnerable driver, but it still exists, and it apparently remains a threat”, — report Sophos researchers.
As a result, experts, which discovered the bug, published technical details about the problem, along with a PoC exploit for its operation. Neverthelss, even after that, Gigabyte engineers prefered not to fix the vulnerability by releasing the patch, but decided to stop supporting and developing the problematic driver.
In addition, Verisign, whose code signing mechanism was used to digitally sign the driver, did not revoke the certificate, so the Authenticode signature is still valid. Because of this, it is still possible to download an outdated and obviously vulnerable driver in Windows.
As you can see, the work of malware is becoming more inventive, for example, only recently was reported that Ryuk ransomware uses Wake-on-LAN to “awake” devices before attack. Be vigilant.
Sophos researchers recommend the following to prevent this type of attack:
Adopt a three-pronged approach to minimize your risk of falling victim to an attack.
1. Threat protection that disrupts the whole attack chain.
Today’s ransomware attacks use multiple techniques and tactics, so focusing your defense on a single technology leaves you very vulnerable.
Instead, deploy a range of technologies to disrupt as many stages in the attack as possible. And integrate the public cloud into your security strategy.
2. Strong security practices.
These include:
- Use multi-factor authentication (MFA)
- Use complex passwords, managed through a password manager
- Limit access rights; give user accounts and admins only the access rights they need
- Make regular backups, and keep them offsite and offline where attackers can’t find them
- Lock down your RDP; turn it off if you don’t need it, use rate limiting, 2FA or a VPN if you do
- Ensure tamper protection is enabled – other ransomware strains attempt to disable your endpoint protection, and tamper protection is designed to prevent this from happening
3. Ongoing staff education.
People are invariably the weakest link in cybersecurity, and cybercriminals are experts at exploiting normal human behaviors for nefarious gain. Invest – and keep investing – in staff training.
