In a report published late last night, Sophos described this new technique as follows:The attack works on Windows 7, 8, and 10. The vulnerable driver from Gigabyte got discontinued and does not have a patch.
Ransomware gang gets a foothold on a victim's network. Hackers install legitimate Gigabyte kernel driver GDRV.SYS. Hackers exploit a vulnerability in this legitimate driver to gain kernel access. Attackers use the kernel access to temporarily disable the Windows OS driver signature enforcement. Hackers install a malicious kernel driver named RBNL.SYS. Attackers use this driver to disable or stop antivirus and other security products running on an infected host. Hackers execute the RobbinHood ransomware and encrypt the victim's files.
Vulnerable Gigabyte driver abused to install ransomware
Posted on Monday, February 10 2020 @ 10:23 CET by Thomas De Maesschalck