Skip to main content

Gigabyte Driver Used to Disable Antivirus Software in RobbinHood Ransomware Scheme

(Image credit: Shutterstock)

According to research by Sophos, a leading software security firm, a ransomware called "RobbinHood" has been making use of legitimate, but vulnerable, Gigabyte drivers to infect computer systems and take them over. 

The attack works on Windows 7 and newer operating systems (OSes). Gigabyte had previously dismissed the claims that its driver was vulnerable to the flaw that the ransomware group is now exploiting, according to Sophos.

Gigabyte shares part of the blame for initially dismissing the vulnerability in 2018, when security researchers first reported it to the company. The public eventually put enough pressure on Gigabyte that it acknowledged the flaw. 

However, instead of releasing a patch to fix the vulnerability for its older motherboards, the company discontinued support for that driver. This poor judgement on Gigatebyte’s part has now allowed attackers to weaponize its unpatched driver. 

Another party responsible, Sophos said, is Verisign. Two years after Gigabyte discontinued its driver, it's still “trusted” by the Windows OS and many antivirus programs by default due to Verisign  failing to revoke its signing certificate. This has allowed attackers to take advantage of the trusted driver to install another unsigned driver on the victims' machines. 

After, the attackers would use this new driver first patch the Windows kernel in-memory and kill antivirus programs and other endpoint security solutions that would prevent the ransomware from taking over the machine.

One-of-a-Kind Ransomware

Sophos researchers said that even though they’ve seen other ransomware try to kill antivirus programs before, they’ve never seen one where the ransomware uses a trusted third-party driver to achieve that. 

Most security solutions have some kind of “trusted programs” list enabled by default on all installations. This is a compromise security companies have made in order to end a large amount of false positives and avoid having too many users block programs because they didn’t understand what the antivirus was asking them to do.

However, chances are that as other avenues to exploit the Windows OS close, malware makers will start to explore additional ways to use that trusted programs list in their favor. If they can trick antivirus programs to believe that their malware is one of the trusted programs in that list, then they later can get almost free reign on a user’s machine.Mitigation Against This Attack

Mitigation

As the RobbinHood ransomware has shown us, even if your OS is fully patched, a hacker can still leverage other techniques to bring vulnerabilities to your computer. 

Sophos recommends not relying on a single program to keep you safe, while also adopting other security best practice,  such as using OS accounts with limited access rights by default, making regular backups, using multi-factor authentication. 

Lucian Armasu
Lucian Armasu is a Contributing Writer for Tom's Hardware US. He covers software news and the issues surrounding privacy and security.