Security News > 2020 > February > Forgotten motherboard driver turns out to be perfect for slipping Windows ransomware past antivirus checks
A kernel-level Windows driver for old PC motherboards has been abused by criminals to silently disable antivirus protections, and hold files to ransom.
When the ransomware infects a computer - either by some other exploit or by tricking a victim into running it - and loads the driver, the operating system and antivirus packages will allow it because the driver appears legit.
"In this attack scenario, the criminals have used the Gigabyte driver as a wedge so they could load a second, unsigned driver into Windows," Sophos explains.
Specifically, RobbinHood loads the Gigabyte driver, exploits the read-write hole to turn off code-signing checks, loads its own unsigned driver unobstructed, and then instructs it to kill off the processes and files of antivirus products, including their kernel drivers.
RobbinHood requires administrator access to load the vulnerable motherboard driver in the first place, so you may be thinking what's the point of all of this: if you're a miscreant with admin access, you can do anything you like.
News URL
Related news
- New VanHelsing ransomware targets Windows, ARM, ESXi systems (source)
- VanHelsing ransomware emerges to put a stake through your Windows heart (source)
- Microsoft: Windows CLFS zero-day exploited by ransomware gang (source)
- Bad luck, Windows 10 users. No fix yet for ransomware-exploited bug (source)
- PipeMagic Trojan Exploits Windows Zero-Day Vulnerability to Deploy Ransomware (source)
- Microsoft: Windows CLFS Vulnerability Could Lead to ‘Widespread Deployment and Detonation of Ransomware’ (source)