Vulnerable Gigabyte driver abused to install ransomware

Posted on Monday, Feb 10 2020 @ 10:23 CET by Thomas De Maesschalck
Gigabyte logo
Security firm Sophos discovered that cybercriminals are abusing a vulnerability in Gigabyte's drivers to infect users with ransomware. The Gigabyte GDRV.SYS kernel driver is no longer in use but still has a valid digital certificate from Verisign. This enables the attackers to gain kernel access and bypass anti-virus software. The technique is used to install RobbinHood, a strain of ransomware typically used in targeted attacks on high-value targets.
In a report published late last night, Sophos described this new technique as follows:

  • Ransomware gang gets a foothold on a victim's network.
  • Hackers install legitimate Gigabyte kernel driver GDRV.SYS.
  • Hackers exploit a vulnerability in this legitimate driver to gain kernel access.
  • Attackers use the kernel access to temporarily disable the Windows OS driver signature enforcement.
  • Hackers install a malicious kernel driver named RBNL.SYS.
  • Attackers use this driver to disable or stop antivirus and other security products running on an infected host.
  • Hackers execute the RobbinHood ransomware and encrypt the victim's files.
  • The attack works on Windows 7, 8, and 10. The vulnerable driver from Gigabyte got discontinued and does not have a patch.

    About the Author

    Thomas De Maesschalck

    Thomas has been messing with computer since early childhood and firmly believes the Internet is the best thing since sliced bread. Enjoys playing with new tech, is fascinated by science, and passionate about financial markets. When not behind a computer, he can be found with running shoes on or lifting heavy weights in the weight room.

    Loading Comments