Hackers exploit hole in vulnerable but digitally signed Gigabyte driver
A new ransomware uses a vulnerable Gigabyte driver that is still digitally signed and therefore easy to install. The malware then installs a second driver that disables security software, after which encryption begins.
This is a driver whose privilege escalation vulnerability already came to light in 2018, but which, according to security company Sophos, is still digitally signed by Verisign. It is not clear why this vulnerable driver, which is no longer in use, is still digitally signed.
The malware installs the vulnerable Gigabyte driver without any ifs or buts thanks to the certification, that custom driver disables Windows driver signature verification, to make way for a second driver, which aims to search for existing security software and disable it. switch. Then comes the actual ransomware attack.
The ransomware, called RobbinHood, claims to encrypt the victim’s files with an rsa-4096 cypher. An unknown amount is requested and stated that this amount will be increased by $10,000 every day after four days.
According to Sophos, it is the first time that they have seen a ‘legitimate’ driver being misused in this way to attack the system from kernel space. The attack would work on Windows 7, 8 and 10.