A ransomware gang is installing vulnerable GIGABYTE drivers on computers it wants to infect. From a report: The purpose of these drivers is to allow the hackers to disable security products so their ransomware strain can encrypt files without being detected or stopped. This new novel technique has been spotted in two ransomware incidents so far, according to UK cybersecurity firm Sophos. In both cases, the ransomware was RobbinHood, a strain of “big-game” ransomware that’s usually employed in targeted attacks against selected, high-value targets. In a report published late last night, Sophos described this new technique as follows:
1. Ransomware gang gets a foothold on a victim’s network.
2. Hackers install legitimate Gigabyte kernel driver GDRV.SYS.
3. Hackers exploit a vulnerability in this legitimate driver to gain kernel access.
4. Attackers use the kernel access to temporarily disable the Windows OS driver signature enforcement.
5. Hackers install a malicious kernel driver named RBNL.SYS.
6. Attackers use
Original URL: http://rss.slashdot.org/~r/Slashdot/slashdot/~3/w087OEVbOzc/ransomware-installs-gigabyte-driver-to-kill-antivirus-products