perm_phone_msgConsider your business risks? Chat With US

Ransomware installs Gigabyte driver to kill antivirus products

Ransomware BCyber todayMarch 6, 2020 42

share close


A ransomware gang is installing vulnerable GIGABYTE drivers on computers it wants to infect. The purpose of these drivers is to allow the hackers to disable security products so their ransomware strain can encrypt files without being detected or stopped.

This new novel technique has been spotted in two ransomware incidents so far, according to UK cybersecurity firm Sophos.

In both cases, the ransomware was RobbinHood [1, 2], a strain of “big-game” ransomware that’s usually employed in targeted attacks against selected, high-value targets.

In a report published late last night, Sophos described this new technique as follows:

Per Sophos, this antivirus bypassing technique works on Windows 7, Windows 8, and Windows 10.

The Gigabyte driver patching fiasco

This technique is successful because of the way the vulnerability in the Gigabyte driver was handled, leaving a loophole that hackers can exploit.

For this debacle, two parties are at fault — first Gigabyte, and then Verisign.

Gigabyte’s fault resides in its unprofessional manner in which it dealt with the vulnerability report for the affected driver. Instead of acknowledging the issue and releasing a patch, Gigabyte claimed its products were not affected.

The company’s downright refusal to recognize the vulnerability led the researchers who found the bug to publish public details about this bug, along with proof-of-concept code to reproduce the vulnerability. This public proof-of-concept code gave attackers a roadmap to exploiting the Gigabyte driver.

When public pressure was put on the company to fix the driver, Gigabyte instead chose to discontinue it, rather than releasing a patch.

But even if Gigabyte had released a patch, attackers could have simply used an older and still vulnerable version of the driver. In this case, the driver’s signing certificate should have been revoked, so it wouldn’t be possible to load the driver’s older versions either.

“Verisign, whose code signing mechanism was used to digitally sign the driver, has not revoked the signing certificate, so the Authenticode signature remains valid,” Sophos researchers said, explaining why it was still possible today to load a now-deprecated and known-vulnerable driver inside Windows.

But if we’ve learned something about cyber-criminals is that most of them are copy-cats and other ransomware gangs are expected to incorporate this trick into their arsenals as well, leading to more attacks using this technique.

RobbinHood is not the only ransomware gang that is using various tricks to disable or bypass security products. Other strains that engage in a similar behavior include Snatch (which reboots PCs in Safe Mode to disable AV software from starting) and Nemty (which shuts down antivirus process using taskkill utility).

This content was originally published here.

Written by: BCyber

Rate it
Previous post

Similar posts

Ransomware BCyber / October 19, 2020

Ad-light, Malware-heavy # Chris Dzombak

Ad-light, Malware-heavy Since December 17, Forbes has been running an experiment wherein some fraction of visitors who are running ad blockers are blocked from accessing Forbes articles until they disable their ad blocker. In exchange, Forbes promises an “ad-light experience”: A Forbes article published yesterday claims that this interstitial resulted in 42.4% of visitors turning ...

Read more trending_flat