Hi, how are you? It’s amazing how hackers refine their techniques to attack pcs. Additionally, they continue to seek to breach user and operating system security measures. So we will see how this driver shuts down the antivirus and installs ransomware in Windows. Specifically, this threatens the vulnerability of a legitimate Gigabyte driver to disable the antivirus and install complex ransomware on the pc. Before we continue, let’s see what ransomware is. This is a malware program that infects the computer. Additionally, it displays messages that require the payment of money to restore the system’s functionality.
It acts by blocking the device remotely, to encrypt the files taking away the control of all the information and data stored. The virus launches a pop-up window asking for the payment of a ransom. This payment is usually made in virtual currency. On the other hand, this software can be installed through misleading links included in an email, instant message or website. Windows.
How ransomware RobbinHood works
As mentioned above, this threat acts through a Gigabyte company driver (gdrv.sys). This has a security flaw, so the exploit included with ransomware allows the attacker to disable the antivirus. It is not even necessary to have a Gigabyte device installed. Finally, attackers use the vulnerability of the genuine driver, to install a second driver created by them without a digital signature. The purpose of this second driver is to disable the antivirus. Consequently, ransomware can be installed without any problem.
With the antivirus turned off, ransomware installs itself on the pc, takes full control and encrypts all data present on the hard disk. It then displays a message like the one below, asking to pay for the data or we won’t be able to recover it.
The exploit that takes advantage of the security flaw is hidden in a file called Steel.exe. When executed, a file is extracted with ransomware (ROBNR.EXE). In addition to the two drivers, the vulnerable one (signed by Gigabyte) and the one developed by the hackers. As mentioned above, it is not necessary to have any Gigabyte components on the computer. The ransomware itself will install the Gigabyte driver on our PC and carry out the attack. The ransomware asks to pay a Bitcoin money within the next 4 days. If not, the cost will increase to $10,000 per day over the next 6 days. Eventually, the keys will be removed from the server and the data will be lost forever.
According to computer experts, this is the first time that ransomware uses a reliable third-party driver to attack the Windows kernel. In addition to loading a second malicious unsigned driver. And finally, disabling the antivirus directly from the operating system kernel.
Gigabyte knew about the bug, but she didn’t fix it.
In a supreme display of irresponsibility, the Gigabyte company has known about this mistake since December 2018. However, the manufacturer decided to abandon driver support instead of fixing it. Consequently, users were exposed to this security problem until the attack happened. Security experts claim that there is no way to defend against this ransomware. That is, even with a good antivirus and all the security patches installed, the attack is inevitable.
As always, the best way to protect yourself against hackers is to use common sense. That is, avoid downloading and using illegal programs. Also, be wary of an unknown e-mail. It is also healthy to check the websites you visit. On the other hand, it is advisable to keep your data backed up in the cloud or on external hard drives. In this way, you can avoid falling into threats. Finally, we have seen how this driver shuts down the antivirus and installs ransomware in WindowsThis is all for now before I go I invite you to see our post about repairing the search bar in Windows 10.
