How Ransomware virus uses Gigabyte driver to stop antivirus
Extortionists demand a ransom from their victims, which increases by $ 10 thousand every day.
Sophos experts warned of new cyber attacks using RobbinHood ransomware. Criminals use the vulnerable Gigabyte driver to hack into a Windows system and disable running antivirus software.
During the attack, attackers exploit the uncorrected vulnerability (CVE-2018-19320), discovered in 2018 in the Gigabyte driver. The exploitation of the vulnerability allows you to access the device and install a second driver, with which criminals disable antivirus programs.
The Steel.exe executable file is used to exploit the vulnerability in the gdrv.sys driver and extracts a file with the name ROBNR.EXE in a temporary Windows folder. ROBNR.EXE, in turn, extracts two different drivers - one of which was developed by Gigabyte and contains a vulnerability, and the other is needed to disable antivirus software on a compromised device. After exploiting the vulnerability, the forced use of the Windows driver signature is disabled, which allows the malicious driver to be launched.
For access to encrypted files, ransomware requires a ransom from their victims, which increases by $ 10 thousand every day.
Extortionists demand a ransom from their victims, which increases by $ 10 thousand every day.
Sophos experts warned of new cyber attacks using RobbinHood ransomware. Criminals use the vulnerable Gigabyte driver to hack into a Windows system and disable running antivirus software.
During the attack, attackers exploit the uncorrected vulnerability (CVE-2018-19320), discovered in 2018 in the Gigabyte driver. The exploitation of the vulnerability allows you to access the device and install a second driver, with which criminals disable antivirus programs.
The Steel.exe executable file is used to exploit the vulnerability in the gdrv.sys driver and extracts a file with the name ROBNR.EXE in a temporary Windows folder. ROBNR.EXE, in turn, extracts two different drivers - one of which was developed by Gigabyte and contains a vulnerability, and the other is needed to disable antivirus software on a compromised device. After exploiting the vulnerability, the forced use of the Windows driver signature is disabled, which allows the malicious driver to be launched.
For access to encrypted files, ransomware requires a ransom from their victims, which increases by $ 10 thousand every day.
