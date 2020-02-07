Image: L O R A

A ransomware gang installs vulnerable GIGABYTE drivers on computers that it wants to infect. The purpose of these drivers is to enable hackers to disable security products so that their ransomware files can encrypt files without being detected or stopped.

This new new technique has so far been noticed in two ransomware incidents, according to the British cyber security company Sophos.

In both cases, the RobbinHood ransomware (1, 2) was a type of “big-game” ransomware that is usually used for targeted attacks on selected, valuable targets.

In a report that was published late last night, Sophos described this new technique as follows:

Ransomware gang gains a foothold in a victim’s network. Hackers install legitimate Gigabyte kernel driver GDRV.SYS. Hackers exploit a vulnerability in this legitimate driver to gain kernel access. Attackers use kernel access to temporarily disable the Windows OS driver signature enforcement. Hackers install a malicious kernel driver named RBNL.SYS. Attackers use this driver to disable or stop antivirus and other security products on an infected host. Hackers run the RobbinHood ransomware and encrypt the victim’s files.

Per Sophos this antivirus bypass technology works on Windows 7, Windows 8 and Windows 10.

The Gigabyte driver patching fiasco

This technique is successful because of the way the vulnerability in the Gigabyte driver has been dealt with, leaving behind a loophole that hackers can use.

Two parties are to blame for this debacle: first Gigabyte and then Verisign.

The Gigabyte error is in the unprofessional manner in which the vulnerability issue for the affected driver is solved. Instead of acknowledging the problem and releasing a patch, Gigabyte claimed that its products were unaffected.

The company’s refusal to acknowledge the vulnerability led the investigators who found the bug to publish public details about this bug, along with a proof-of-concept code to reproduce the vulnerability. This public proof-of-concept code gave attackers a roadmap to operate the Gigabyte driver.

When public pressure was exerted on the company to repair the driver, Gigabyte chose to stop it instead of releasing a patch.

But even if Gigabyte had released a patch, attackers could have just used an older and still vulnerable version of the driver. In this case, the driver’s signature certificate should have been withdrawn, so it would not be possible to load the older versions of the driver.

“Verisign, whose code signing mechanism was used to digitally sign the driver, did not revoke the signature certificate, so the Authenticode signature remains valid,” said Sophos researchers, who explained why it is still possible today to obsolete and known to load-vulnerable driver within Windows.

But if we have learned anything about cyber criminals, most of them are copy-cats and other ransomware gangs are expected to include this trick in their arsenals, leading to more attacks with this technique.

RobbinHood is not the only ransomware gang that uses various tricks to disable or bypass security products. Other types that exhibit similar behavior include Snatch (which restarts PCs in safe mode to prevent AV software from starting) and Nemty (which closes the antivirus process with the Taskkill utility).