Published 18 Feb 2020

Cybersecurity company Sophos has reported investigating two separate ransomware incidents where the threat actors managed to delete security software by taking advantage of a vulnerability in a digitally signed, legitimate driver.

At the heart of this new approach is a discontinued software package from hardware manufacture Gigabyte. This was found to have a vulnerability in 2018. While Gigabyte originally disputed the flaw, it has since discontinued the affected driver. The driver still exists, however, and more significantly, the signing certificate used to sign the code has not been revoked by Verisign, meaning it still has a valid Authenticode signature.

The threat actors use this driver as a sort of “wedge” for loading their own unsigned driver, which then gets to work disabling security software by killing processes and deleting the related files, thus enabling the attack to proceed unhindered.

The same driver has previously been used in tools to enable cheating in an online game, with the driver providing the means to bypass any anti-cheat measures in the game. This is this first time it has been seen in ransomware form, however, suggesting a degree of crossover behind the developers of game-cheating tools and ransomware perpetrators.

Sophos security researchers Andrew Brandt and Mark Loman write about this new tactic:

“This is the first time we have observed ransomware shipping a trusted, signed (yet vulnerable) third party driver to patch the Windows kernel in-memory, load their own unsigned malicious driver, and take out security applications from kernel space. The ransomware that was being installed in both instances calls itself RobbinHood. Ransomware trying to circumvent security products is not new. For example, Nemty kills processes and services using regular taskkill, and Snatch ransomware figured out how to reboot PCs into Safe Mode to get around endpoint protection. Obviously, doing the process killing from kernel mode has a lot of advantages.”

The researchers suggest a number of measures organisations can take to limit their vulnerability to such attacks. First, they advise against relying on a single technology to protect against malware, which can adopt many strategies and techniques in today’s era. They instead suggest deploying multiple technologies to frustrate as many attack stages as possible.

Second, Brandt and Loman recommend the use of strong security practices. This includes measures like locking down or disabling RDP, limiting access rights to just what users actually need, enforcing the use of strong passwords backed up by multi-factor authorisation, keeping tamper protection enabled, and making regular backups that will be stored safely away from the reach of hackers, such as in an offline, offsite location.

Finally, they highlight the expertise that cybercriminals employ in taking advantage of the human element to achieve their ends, recommending ongoing investment in staff training to combat this.

While this may sound like a lot to handle, our engineers at Pro-Networks are adept at delivering such multi-layered approaches to cybersecurity. With our managed IT support services, you can easily achieve 360-degree protection from the various cyberthreats.

 

Please share this post using any of the following share buttons.

Read similar posts to this article

Cybercriminals extorting millions t...

Save money by saying no to ransoms,...

NCSC launches online scam reporting...