security company Sophos warned that the new ransomware attack uses the vulnerable Gigabyte driver to attempt to break into the Windows system and then disable the running security software. The attack is based on a security vulnerability discovered in Gigabyte driver in 2018, which is detailed in CVE-2018-19320.
This driver was deprecated after Gigabyte confirmed the error. It allows malicious attackers to exploit this vulnerability to try to access the device and deploy a second driver with the goal of killing antivirus products in the system. Sophos said the second driver would spare no effort to kill processes and files belonging to endpoint security products, bypassing tamper protection, allowing ransomware to attack without interference. This is the first time that security researchers have observed that ransomware ships a Microsoft-siged third-party driver to patch the Windows kernel in memory to load its own unsigned malicious drivers and remove the security application
from kernel space this time the ransomware used by the hacker is called RobbinHood, which requires victims to pay to unlock their files. The ransom record says that if they don't pay, the price will increase by $10,000 per day. The executable file that utilizes the Gigabyte gdrv.sys driver is called Steel.exe, which extracts a file named ROBNR.exe in the Windows temp folder, which extracts two different drivers in turn, one developed by Gigabyte (Vulnerable) and the other to disable antivirus software on damaged devices. Once the vulnerability is exploited, Windows driver signature enforcement will be disabled, allowing malicious drivers to be started.
Sophos says that apart from the common practice of staying secure in ransomware attacks, there is nothing that can help users prevent the vulnerability from being exploited by hackers.
