RobbinHood ransomware is back through Gigabyte exploit and can shutdown endpoint security applications

Security researchers at Sophos, have identified a new ransomware variant of RobbinHood that is exploiting a vulnerability in motherboard manufacturer Gigabyte’s driver. Though this vulnerability was reported by a reporter in 2018, as CVE-2018-19320 the Gigabyte ignored the report and responded that there were no vulnerabilities in their drivers. However, later that vulnerable driver was discontinued. But the driver still exits and the vulnerability is not patched in the manufactured motherboards yet. 

Understanding the criticality of this vulnerability, attackers have developed a new Robbinhood variant which is capable of removing the endpoint security applications before getting itself installed to a system. The mere adaption of endpoint security products is to detect malware but this threat appears to create a new challenge for endpoint protection.

Five key files of this ransomware variant

The variant has multiple files which will trigger the removal of endpoint security applications. The key file is STEEL.EXE which will kill the security applications, followed by ROBNR.EXE installing the driver installer, while GDRV.SYS (Gigabyte kernel driver) and RBNL.SYS will install the vulnerable and malicious drivers. And finally the PLIST.TXT file will list the processes and files to be destroyed. This Anti-Virus bypassing method works with Windows 7, Windows 8 and Windows 10.

After successfully blocking the anti-virus using STEEL.EXE and removing all the files using PLIST.TXT, the ransomware can now encrypt all the data in the infected system without any detection or hindrance. The attacker brings his own vulnerability and deploys it into the targeted system, so even if the system is completely patched and updated, it can still become victim to this RobbinHood ransomware variant.

How to defend against this new Gigabyte exploit

In recent times, ransomware employ multiple attack strategies to infiltrate a network or system, it is important for the users to adapt to multiple security strategies to disrupt the attack workflow of the ransomware before it accomplishes its task completely. It is important to adopt multiple technologies, security layers and integration of public cloud in the cyber strategies.

Organizations and users need to practice cyber hygiene by employing MFA, strong passwords, limited user privileges, safeguarding their data by following the 3-2-1 rule of backups, enable RDP only when it is required and above all enable tamper protection to prevent malware from shutting down the endpoint security applications.

Above all, investing in cyber education for employees, clients and staff should be mandatory.