CATEGORIES
home News

Cunning RobbinHood Ransomware Employs Gigabyte Hardware Driver To Hold Data Hostage

by Shane McGlaunSunday, February 09, 2020, 01:15 PM EDT
robbinhood ransomware

Security researchers at Sophos have been investigating a pair of ransomware attacks where the attackers used legitimate, digitally signed hardware driver to delete security products from targeted computers. Once the security products were deleted from the target machines, the destructive file encryption portion of the attack was launched. The signed driver that was used is part of a deprecated software package from Gigabyte, a mainboard and computer hardware manufacturer.

The software had a known vulnerability tracked as CVE-2018-19320. The vulnerability, along with proof-of-concept code was published in 2018. At the time, Gigabyte denied that the vulnerability impacted its products. Later it admitted there was a vulnerability and stopped using the software, but there are still vulnerable computers out there the RobbinHood ransomware targets.

The driver exploited in the attack was signed using Verisign. The company hasn't revoked the signing certificate meaning the Authenticode signature is valid. The attackers used the Gigabyte driver as a wedge so they can load a second, unsigned driver into Windows. That second driver kills processes and files that belong to security products and bypasses tamper protection. That allows the ransomware to attack without interference from security products.

Sophos says that this is the first time that it has observed ransomware shipping a trusted, signed, but vulnerable driver and then loading an unsigned malicious driver for its attack. Ransomware side-stepping security software isn't new. Sophos is taking a deep dive into the malware, which can be seen here, and says that it is doing so to allow defenders to anticipate and enact defenses against the attack.

To prevent the attack from happening, Sophos suggests some mitigation techniques. It says that administrators should deploy a range of technologies to disrupt as many stages of attack as possible. Users should have strong security practices like MFA, complex passwords, limited access rights, and make regular backups, among other things. Admins also need to educate staff; Sophos points out that people are the weakest link in cybersecurity.

As costly as cyberattacks are for businesses who lose data and productivity, there is a much more sinister side to ransomware attacks. Researchers linked a rise in fatal heart attacks to hospital ransomware attacks late in 2019. The increase in deaths was related to the extra wait time for treatments after a ransomware attack.

Tags:  cybersecurity, Ransomware, cyberattack
TOP CONVERSATIONS
Your Next PC Platform?
More Results
KEEP INFORMED
SITE

Home

Reviews

News

Blogs

Full Site

Sitemap

CATEGORIES

PC Components

Systems

Mobile

IT Infrastructure

Leisure

Videos

COMPANY

About

Advertise

News Tips

Contact

Privacy And Terms

HotTech

MORE

Accessibility

Shop

STAY CONNECTED

Twitter

Facebook

YouTube

RSS

As an Amazon and Howl Technologies Associate, HotHardware earns a commission from qualifying purchases made on this site. This site is intended for informational and entertainment purposes only. The contents are the views and opinion of the author and/or his associates. All products and trademarks are the property of their respective owners. Reproduction in whole or in part, in any form or medium, without express written permission of Hot Hardware, Inc. is prohibited. All content and graphical elements are Copyright © 1999 - 2024 David Altavilla and Hot Hardware, Inc.
All rights reserved. Privacy and Terms - Accessibility Commitment