Do you use Gigabyte motherboards? Your antivirus or firewall cannot save you from this ransomware

Users of drivers developed by Taiwanese company GIGABYTE contain a known vulnerability that is being exploited by groups of threat actors to infect targeted computers with the ransomware variant known as RobbinHood, as mentioned by network security specialists.

In addition, by attacking these legitimate hardware drivers the hackers are also able to remove the security tools (antivirus) from the infected systems to subsequently encrypt the files in a second attack stage.

The attack is completed by inserting a second malicious driver into the compromised system after disabling the legitimate driver signature application, which requires changing a single byte into the kernel. According to network security experts, these hardware drivers allow the operating system to communicate with a particular device. The target driver for this attack was distributed with GYGABYTE motherboards and graphics cards before it stopped working in early 2019.

This is the most recent and innovative attack method shown by hackers, and it is also a security alert for researchers and system administrators, as it is a really functional way to evade even the most complex endpoint security tool: “This attack variant can even eliminate protection measures on fully updated Windows systems without known vulnerabilities,” says Mark Loman, network security specialist from Sophos.

The vulnerability exploited on the controller (CVE-2018-19320) is an escalation of privileges and allows arbitrary reading and writing in system memory. Exploiting this flaw allows temporary disabling of driver signature on Windows systems. After disabling the signature, RobbinHood loads the second controller into the attacked system.     

According to Loman, this is the first time that a Sophos research team has worked with a ransomware variant that contains its own third-party driver with a legitimate signature to compromise a security software: “Completely remove the Protections allows the free installation of any malware variant and run it smoothly”, concludes the expert.  

The International Institute of Cyber Security (IICS) mentions that ransomware remains the main threat to computer users. The trend in the use of this malware increased considerably during 2019, and the early days of 2020 seem to foretell similar behavior.