February 7, 2020 By Ed Targett
“This is the first time we have seen ransomware bring its own legitimately signed, albeit vulnerable, third-party driver to take control of a device”
A ransomware strain dubbed “RobbinHood” is using a vulnerability in a “legitimate” and signed hardware driver to delete security products from targeted computers before encrypting users files, according to security researchers at Sophos.
The ransomware exploits a known vulnerability in the driver from Taiwan’s GIGABYTE to subvert a setting in kernel memory in Windows 10, 8 and 7, meaning it “brings its own vulnerability” and can attack otherwise patched systems.