Experts from the British company Sophos told about interesting tactics used by RobbinHood ransomware operators. To disable security solutions, the malware installs vulnerable Gigabyte drivers on the target machines. According to experts, such attacks work against Windows 7, Windows 8 and Windows 10.
In their report, researchers describe ransomware tactics as follows:
- hackers infiltrate the network of the victim company;
- Install the legitimate Gigabyte GDRV.SYS kernel driver;
- exploit vulnerabilities in this driver to gain access to the kernel;
- access to the kernel is used to temporarily disable forced use of driver signatures in Windows;
- the malicious RBNL.SYS kernel driver is installed, which is used to disable or stop anti-virus and other protective products running on the infected host;
- RobbinHood ransomware launches and encrypts the victim’s files.
Researchers explain that Gigabyte and Verisign need to blame that such tactics generally work and bear fruit. The fact is that, having learned about the bug, Gigabyte developers generally refused to acknowledge the problem and stated that their products are not vulnerable. As a result, the experts who discovered the bug, published technical details about the problem, along with a PoC exploit for its operation. Alas, even after that, Gigabyte engineers prefer not to fix the vulnerability by releasing the patch, but to stop supporting and developing the problem driver altogether.
In addition, Verisign, whose code signing mechanism was used to digitally sign the driver, did not revoke the certificate, so the Authenticode signature is still valid. Because of this, it is still possible to download an outdated and obviously vulnerable driver in Windows.