Ransomware taps vulnerable driver to kill security software

News by Chandu Gopalakrishnan

Ransomware operators have started using legitimate, digitally signed hardware drivers to delete security products from targeted computers

Ransomware operators have started using legitimate, digitally signed hardware drivers to delete security products from targeted computers, reports Sophos.

A probe into two different ransomware attacks showed that attackers deployed a legitimate hardware driver to delete security products from the computers before encrypting files, said a Sophos report by researchers Andrew Brandt and Mark Loman.

The signed driver is part of a redundant software package issued by Taiwan-based motherboard manufacturer Gigabyte, which had a vulnerability disclosed in 2018. Even though the company discontinued issuing the vulnerable driver, it still exists in devices, posing a security threat, said the report.

What makes this particular attack different from other ransomware campaigns is the way the attackers brought this vulnerable driver to bear in the attack kill-chain, Brandt, principal security researcher at Sophos, told SC Media UK.

“This was the first time we’ve seen this gdrv.sys driver used to enable a malware attack, but it isn’t the first time the driver has been used to bypass protection measures on a Windows computer,” he said. 

“For instance, in the course of this investigation we found that there are several versions of at least one tool designed to help people cheat at the online game PUBG (PlayerUnknown’s Battlegrounds) that deploy the identical Gigabyte driver file, presumably to get around anti-cheating mechanisms installed alongside the game. This strengthens the argument that there’s an increasingly narrow distinction between developers of online game cheating tools and people who create novel malware kill chains,” he explained.

The specific Gigabyte driver file found in the attack is not the sole file capable of doing this, noted Brandt. 

“There are commercially-produced drivers for a variety of products for which there have already been CVEs issued that are also capable of performing the same role as gdrv.sys but we haven’t seen them used.”

Sophos has not attributed this particular attack to any threat group.

Brandt suggests a three-point defence plan to mitigate the risk of this attack:

1. Use threat protection that disrupts the whole attack chain. With ransomware attacks using multiple techniques and tactics, focusing the defence on a single technology leaves the target vulnerable. Instead, a range of technologies should be deployed to disrupt as many stages in the attack as possible. The public cloud should be integrated into the target’s security strategy.

2. Implementing strong security practices, including multi-factor authentication (MFA), complex passwords managed through a password manager, limited access rights with proper oversight, offsite and offline backups, locking down the RDP. Enabling tamper protection is also important, as ransomware strains attempt to disable endpoint protection, and tamper protection is designed to prevent this.

3. Continuous and updated staff training: People are invariably the weakest link in cyber-security, and cyber-criminals are experts at exploiting normal human behaviours for nefarious gain. Continuous investment and updating is necessary in staff training.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews