Another wave of ransomware attacks are targeting systems with a novel strategy. As discovered by researchers, the new ransomware campaign installs malicious Gigabyte drivers on target devices to evade defense mechanisms.
Researchers from the Sophos Labs have unveiled an active ransomware campaign exploiting Gigabyte drivers. As shared in their report, the new ransomware attack evades security checks by installing malicious Gigabyte drivers on target systems.
The researchers investigated two different ransomware incidents involving Robinhood ransomware. In both cases, the attackers also installed signed drivers on the systems to disable the antivirus solution or any other security program.
Digging further revealed that the attackers have exploited a known vulnerability CVE-2018-19320 in the Gigabyte drivers. While the vendors have withdrawn the vulnerable drivers, the drivers still exist. Moreover, the drivers still bear digital signatures from Verisign who have not revoked the certificates. Thus, the attackers continue to exploit the drivers for waging ransomware attacks on high-profile targets.
As stated by the researchers,
The malware places numerous files to the ‘temp’ folder of the target system, which then further execute malicious activities. The table below gives a quick glimpse of these files.
More details about the attack scenario are available in the researchers’ post.