Ransomware installs Gigabyte driver to kill antivirus products

February 07, 2020

A ransomware gang is installing vulnerable GIGABYTE drivers on computers it wants to infect. The purpose of these drivers is to allow the hackers to disable security products so their ransomware strain can encrypt files without being detected or stopped.

This new novel technique has been spotted in two ransomware incidents so far, according to UK cybersecurity firm Sophos.

In both cases, the ransomware was RobbinHood [1, 2], a strain of “big-game” ransomware that’s usually employed in targeted attacks against selected, high-value targets.

In a report published late last night, Sophos described this new technique as follows:

Ransomware gang gets a foothold on a victim’s network.
Hackers install legitimate Gigabyte kernel driver GDRV.SYS.
Hackers exploit a vulnerability in this legitimate driver to gain kernel access.
Attackers use the kernel access to temporarily disable the Windows OS driver signature enforcement.
Hackers install a malicious kernel driver named RBNL.SYS.
Attackers use this driver to disable or stop antivirus and other security products running on an infected host.
Hackers execute the RobbinHood ransomware and encrypt the victim’s files.

Per Sophos, this antivirus bypassing technique works on Windows 7, Windows 8, and Windows 10.

The Gigabyte driver patching fiasco

This technique is successful because of the way the vulnerability in the Gigabyte driver was handled, leaving a loophole that hackers can exploit.

For this debacle, two parties are at fault — first Gigabyte, and then Verisign.

Gigabyte’s fault resides in its unprofessional manner in which it dealt with the vulnerability report for the affected driver. Instead of acknowledging the issue and releasing a patch, Gigabyte claimed its products were not affected.

The company’s downright refusal to recognize the vulnerability led the researchers who found the bug to publish public details about this bug, along with proof-of-concept code to reproduce the vulnerability. This public proof-of-concept code gave attackers a roadmap to exploiting the Gigabyte driver.

When public pressure was put on the company to fix the driver, Gigabyte instead chose to discontinue it, rather than releasing a patch.

But even if Gigabyte had released a patch, attackers could have simply used an older and still vulnerable version of the driver. In this case, the driver’s signing certificate should have been revoked, so it wouldn’t be possible to load the driver’s older versions either.

“Verisign, whose code signing mechanism was used to digitally sign the driver, has not revoked the signing certificate, so the Authenticode signature remains valid,” Sophos researchers said, explaining why it was still possible today to load a now-deprecated and known-vulnerable driver inside Windows.

But if we’ve learned something about cyber-criminals is that most of them are copy-cats and other ransomware gangs are expected to incorporate this trick into their arsenals as well, leading to more attacks using this technique.

RobbinHood is not the only ransomware gang that is using various tricks to disable or bypass security products. Other strains that engage in a similar behavior include Snatch (which reboots PCs in Safe Mode to disable AV software from starting) and Nemty (which shuts down antivirus process using taskkill utility).