RobbinHood ransomware tricks Windows into deleting defences

Sophos has posted research into a novel type of ransomware attack in which cyber criminals are deploying legitimate, digitally signed hardware motorists to delete protection solutions from their focus on systems in advance of encrypting consumer data.

The RobbinHood ransomware functions by exploiting an previous vulnerability, CVE-2018-19320, that exists in a now-deprecated driver developed by Taiwanese agency Gigabyte, which even now has a valid and unrevoked Verisign Authenticode signature and is even now in use by a lot of even with remaining discontinued.

The trustworthy and signed Gigabyte driver is applied as a wedge to patch Home windows kernels, load an unsigned and malicious driver, and take out defensive stability programs from inside kernel method.

According to the Sophos scientists, this is the initially time this kind of an attack vector has been noticed, even even though ransomware making an attempt to circumvent stability solutions is not new, but killing their processes from inside of kernel mode as opposed to consumer mode is clearly advantageous.

Importantly, the malicious driver consists of only kill code and very little else, which usually means that even if the goal is functioning a entirely patched Home windows method with no identified vulnerabilities, the attackers are nevertheless equipped to destroy security defences as a precursor to the actual ransomware assault.

Mark Loman, director of engineering at Sophos, explained the firm’s assessment of RobbinHood showed how rapidly and dangerously the ransomware risk is evolving.

“This is the first time we have viewed ransomware convey its individual legitimately signed, albeit vulnerable, third-social gathering driver to acquire manage of a machine and use that to disable the installed stability program, bypassing the options specifically intended to reduce these tampering. Killing the security leaves the malware cost-free to install and execute the ransomware uninterrupted,” he said.

Sophos found a selection of indicators to counsel that the authors of the malicious driver are the very same team powering RobbinHood, a pressure of ransomware that induced chaos for lots of victims in 2019, notably the metropolis of Baltimore in Maryland, where by local authorities personnel were locked out of their systems for more than two months.

Loman set out a quantity of steps that consumers can just take to guard themselves from RobbinHood. “We advise a a few-pronged strategy. 1st, considering that today’s ransomware assaults use numerous procedures and techniques, defenders require to deploy a range of technologies to disrupt as quite a few phases of the assault as probable, integrate the public cloud into their protection approach, and enable critical operation, such as tamper defense, in their endpoint protection software program. If doable, enhance this with risk intelligence and professional menace looking,” he said.

“2nd, utilize solid stability tactics like multi-variable authentication, intricate passwords, constrained accessibility rights, typical patching, and info backups, and lock down vulnerable distant entry companies. Final, but not minimum, invest and retain investing in personnel safety instruction.”

Whole technological specifics of how RobbinHood is effective, together with indicators of compromise (IoCs), can be located on the Sophos web site.