Often times, we get so comfortable when we have an antivirus software in our system. However, a new research report says that we shouldn’t get “too” confident. According to a security company, Sophos, new ransomware can now invade Windows systems by attacking Gigabyte drivers. The ransomware will deploy a second driver to disable any running antivirus software.
The ransomware uses a security vulnerability found in Gigabyte drivers in 2018. Gigabyte has confirmed the existence of the bug. This bug allows malicious attackers to use this vulnerability to try to access the device and deploy it. If it’s successful, it will cripple any antivirus in the PC and other conventional security software.
Sophos said: “The second driver blocks the processes and files of security software. It bypasses tamper protection and enables ransomware to attack users’ computers without interruption…this is the first time we are observing this ransomware. The software uses a third-party driver co-signed by Microsoft to modify the kernel file to load its own unsigned malicious driver and remove the secure application from the kernel. “
A malicious driver can cripple antivirus software
This new ransomware is known as RobbinHood and its basically for blackmailing victims. The report shows that the victims had to pay to unlock the files. If the victim does not pay, the ransom amount will rise at a rate of $10,000 / day.
The executable file of the gigabyte gdrv.sys driver being used is called Steel.exe. This extracts a file named ROBNR.EXE in the Windows temporary folder. This, in turn, extracts two different drivers, one is Gigabyte (Vulnerable Driver), and another software for disabling antivirus software. Once the PC is under attack, Windows driver signing will be inactive to allow malicious drivers to start. Sophos believes that there is no way to help users prevent their PCs from attack. Users just have to continue to use security software to stop attacks.