Ransomware Installs Gigabyte Driver To Kill Antivirus Products

A ransomware gang is installing vulnerable GIGABYTE drivers on computers it wants to infect. From a report:


The purpose of these drivers is to allow the hackers to disable security products so their ransomware strain can encrypt files without being detected or stopped. This new novel technique has been spotted in two ransomware incidents so far, according to UK cybersecurity firm Sophos. In both cases, the ransomware was RobbinHood, a strain of “big-game” ransomware that’s usually employed in targeted attacks against selected, high-value targets. In a report published late last night, Sophos described this new technique as follows:

  1. Ransomware gang gets a foothold on a victim’s network.
  2. Hackers install legitimate Gigabyte kernel driver GDRV.SYS.

  1. Hackers exploit a vulnerability in this legitimate driver to gain kernel access.
  2. Attackers use the kernel access to temporarily disable the Windows OS driver signature enforcement.
  3. Hackers install a malicious kernel driver named RBNL.SYS.
  4. Attackers use this driver to disable or stop antivirus and other security products running on an infected host.
  5. Hackers execute the RobbinHood ransomware and encrypt the victim’s files

The info you shared and the picture(first image) don’t match.
Citing from shared site link.

Reference alert!

That Ransomware swap control with many components, also it can revoke admin rights, like it is shown in the above picture!