Jump to content
Sign in to follow this  
ChainScriptz_Bot

New Ransomware Attacks Install Malicious Gigabyte Drivers To Disable Antivirus

Recommended Posts

Another wave of ransomware attacks are targeting systems with a novel strategy. As discovered by researchers, the new ransomware campaign installs malicious Gigabyte drivers on target devices to evade defense mechanisms. Ransomware Campaign Uses Malicious Gigabyte Drivers Researchers from the Sophos Labs have unveiled an active ransomware campaign exploiting Gigabyte drivers. As shared in their report, the new ransomware attack evades security checks by installing malicious Gigabyte drivers on target systems. The researchers investigated two different ransomware incidents involving Robinhood ransomware. In both cases, the attackers also installed signed drivers on the systems to disable the antivirus solution or any other security program. Digging further revealed that the attackers have exploited a known vulnerability CVE-2018-19320 in the Gigabyte drivers. While the vendors have withdrawn the vulnerable drivers, the drivers still exist. Moreover, the drivers still bear digital signatures from Verisign who have not revoked the certificates. Thus, the attackers continue to exploit the drivers for waging ransomware attacks on high-profile targets. As stated by the researchers, In this attack scenario, the criminals have used the Gigabyte driver as a wedge so they could load a second, unsigned driver into Windows. This second driver then goes to great lengths to kill processes and files belonging to endpoint security products, bypassing tamper protection, to enable the ransomware to attack without interference. The malware places numerous files to the ‘temp’ folder of the target system, which then further execute malicious activities. The table below gives a quick glimpse of these files. Source: Sophos More details about the attack scenario are available in the researchers’ post. Possible Mitigations Earlier, having a robust antimalware solution was considered sufficient for protecting against a malware/ransomware attack. However, now, when more and more ransomware are adopting different tactics to evade security checks, an antivirus no more remains a dependable solution. The same applies to Robinhood ransomware attacks as well. Therefore, Sophos recommends employing multiple measures to ensure security. These include the use of multi-factor authentication, having complex passwords, restricting access of users to critical systems/networks, maintaining up-to-date backups, and limiting RDP. Users must also ensure activating the Tamper Protection feature of their respective security solution to prevent any malware from disabling the endpoint security.

 

 

 

 

Share this post


Link to post
Share on other sites
 

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
Sign in to follow this  

Copywrite © 2020 ChainScriptz

×
  • Create New...