Another wave of ransomware attacks are targeting systems with a novel strategy. As discovered by researchers, the new ransomware campaign installs malicious Gigabyte drivers on target devices to evade defense mechanisms.
Researchers from the Sophos Labs have unveiled an active ransomware campaign exploiting Gigabyte drivers. As shared in their report , the new ransomware attack evades security checks by installing malicious Gigabyte drivers on target systems.
The researchers investigated two different ransomware incidents involving Robinhood ransomware. In both cases, the attackers also installed signed drivers on the systems to disable the antivirus solution or any other security program.
Digging further revealed that the attackers have exploited a known vulnerability CVE-2018-19320 in the Gigabyte drivers. While the vendors have withdrawn the vulnerable drivers, the drivers still exist. Moreover, the drivers still bear digital signatures from Verisign who have not revoked the certificates. Thus, the attackers continue to exploit the drivers for waging ransomware attacks on high-profile targets.
As stated by the researchers,
In this attack scenario, the criminals have used the Gigabyte driver as a wedge so they could load a second, unsigned driver into Windows. This second driver then goes to great lengths to kill processes and files belonging to endpoint security products, bypassing tamper protection, to enable the ransomware to attack without interference.
The malware places numerous files to the ‘temp’ folder of the target system, which then further execute malicious activities. The table below gives a quick glimpse of these files.
More details about the attack scenario are available in the researchers’ post.
Earlier, having a robust antimalware solution was considered sufficient for protecting against a malware/ransomware attack. However, now, when more and more ransomware are adopting different tactics to evade security checks , an antivirus no more remains a dependable solution. The same applies to Robinhood ransomware attacks as well.
Therefore, Sophos recommends employing multiple measures to ensure security. These include the use of multi-factor authentication, having complex passwords, restricting access of users to critical systems/networks, maintaining up-to-date backups, and limiting RDP.
Users must also ensure activating the Tamper Protection feature of their respective security solution to prevent any malware from disabling the endpoint security.
- Packet Fingerprinting with Wireshark and Detecting NMap Scans cvv sites, cvv store
- Кандидат в президенты США рассказал о своем хакерском прошлом cvvstore, valid cc shop
- Ransomware Attacks Targeting Unpatched EOL SonicWall SMA 100 VPN Appliances buy cvv, feshop cc
- European Banking Authority victim in Microsoft Exchange Server hack dump shop, buying cvv
- Starting an InfoSec Career – The Megamix – Chapter 6 cvv dump, credit card dumps
Recent CommentsNo comments to show.