New Ransomware Attacks Install Malicious Gigabyte Drivers To Disable Antivirus

Another wave of ransomware attacks are targeting systems with a novel strategy. As discovered by researchers, the new ransomware campaign installs malicious Gigabyte drivers on target devices to evade defense mechanisms.

Ransomware Campaign Uses Malicious Gigabyte Drivers

Researchers from the Sophos Labs have unveiled an active ransomware campaign exploiting Gigabyte drivers. As shared in their report, the new ransomware attack evades security checks by installing malicious Gigabyte drivers on target systems.

The researchers investigated two different ransomware incidents involving Robinhood ransomware. In both cases, the attackers also installed signed drivers on the systems to disable the antivirus solution or any other security program.

Digging further revealed that the attackers have exploited a known vulnerability CVE-2018-19320 in the Gigabyte drivers. While the vendors have withdrawn the vulnerable drivers, the drivers still exist. Moreover, the drivers still bear digital signatures from Verisign who have not revoked the certificates. Thus, the attackers continue to exploit the drivers for waging ransomware attacks on high-profile targets.

As stated by the researchers,

In this attack scenario, the criminals have used the Gigabyte driver as a wedge so they could load a second, unsigned driver into Windows. This second driver then goes to great lengths to kill processes and files belonging to endpoint security products, bypassing tamper protection, to enable the ransomware to attack without interference.

The malware places numerous files to the ‘temp’ folder of the target system, which then further execute malicious activities. The table below gives a quick glimpse of these files.

Source: Sophos

More details about the attack scenario are available in the researchers’ post.

Possible Mitigations

Earlier, having a robust antimalware solution was considered sufficient for protecting against a malware/ransomware attack. However, now, when more and more ransomware are adopting different tactics to evade security checks, an antivirus no more remains a dependable solution. The same applies to Robinhood ransomware attacks as well.

Therefore, Sophos recommends employing multiple measures to ensure security. These include the use of multi-factor authentication, having complex passwords, restricting access of users to critical systems/networks, maintaining up-to-date backups, and limiting RDP.

Users must also ensure activating the Tamper Protection feature of their respective security solution to prevent any malware from disabling the endpoint security.

Let us know your thoughts in the comments.

Related posts

Water Facilities Must Secure Exposed HMIs – Warns CISA

Microsoft December Patch Tuesday Arrived With 70+ Bug Fixes

NachoVPN Attack Risks Corporate VPN Clients