A ransomware gang installs vulnerable GIGABYTE drivers on computers it wants to infect. The purpose of these drivers is to allow hackers to disable security products so that their ransomware executable can encrypt files without being detected or stopped.
This new original technique has been detected in two episodes of ransomware so far, according to Sophos.
In both cases, the ransomware was RobbinHood, a “big game” ransomware strain commonly used in targeted attacks against selected high-value targets.
In a report published, Sophos describes this new technique as follows:
- Hackers install the legitimate Gigabyte kernel driver GDRV.SYS program.
- Hackers exploit a vulnerability in this driver to gain access to the kernel.
- The attackers use kernel access to temporarily disable the Windows OS driver signature enforcement program.
- Hackers install a malicious kernel driver program called RBNL.SYS.
- The attackers use this driver program to disable or stop antivirus programs and other security products running on an infected host.
- The hackers execute the RobbinHood ransomware and encrypt the victim’s files.
Sophos reports that this antivirus bypass technique works on Windows 7, Windows 8 and Windows 10.
This technique is successful because of how to handle the vulnerability in the driver Gigabyte, leaving a gap that hackers can exploit.
Two parties are responsible for this frustration – first Gigabyte, then Verisign.
Gigabyte’s fault lies in the unprofessional way in which it handled the vulnerability report for the affected driver. Instead of recognizing the problem and releasing a patch, Gigabyte claimed that its products were unaffected.
The company’s overt refusal to recognize the vulnerability led researchers who found the error to publish public details of the error, along with the proof-of-concept code to reproduce the vulnerability. The publication of the code gave the attackers a roadmap to exploit the Gigabyte driver.
When public pressure was put on the company to fix the driver, Gigabyte opted to shut down instead of releasing a patch.
But even if Gigabyte had released a patch, the attackers could simply use an older vulnerable version of the driver. In this case, the driver’s signing certificate should have been revoked, so earlier versions of the driver would not be able to load.
“Verisign, whose code-signing mechanism was used to digitally sign the driver, has not revoked the signature certificate, so Authenticode’s signature remains valid,” Sophos researchers said, explaining why loading was still possible today a removed and known, vulnerable driver within Windows.
But if we learn something about cybercriminals is that most of them are copying successful techniques so other ransomware gangs are expected to incorporate this trick into their arsenals, leading to more attacks.