This novel approach exploits vulnerabilities in legitimate Microsoft-co-signed drivers to compromise the kernel and then disarm any security software.

The year has hardly started, and cybercriminals have already been hard at work using a novel technique to infiltrate systems.  

On 6 Feb, they were found to have used a Microsoft co-signed (yet vulnerable) third party driver to patch the Windows kernel in-memory, load their own unsigned malicious driver, and take out security applications from kernel space. This paved the way for the payload: the RobbinHood ransomware.

Researchers at Sophos disclosed their finding in a new report, Living off another land: Ransomware borrows vulnerable driver to remove security software, and state that while ransomware trying to circumvent security products is not new, this is the first time using a vulnerable co-signed driver to break the system.

In view of this novel development, Mark Loman, director of engineering, Sophos, has shared his views on the best practices to prevent Robbinhood ransomware attacks. RobbinHood ransomware comes with both a vulnerable driver and a malicious driver that has the sole purpose to take out defenses. The malicious driver contains only code to kill, nothing else. So even if you have a fully patched Windows computer with no known vulnerabilities, the ransomware provides the attackers with one that lets them destroy your defenses as a precursor to the ransomware attack. 

“Our analysis of the two ransomware attacks shows how rapidly and dangerously the threat continues to evolve. This is the first time we have seen ransomware bring its own legitimately signed, albeit vulnerable, third-party driver to take control of a device and use that to disable the installed security software, bypassing the features specially designed to prevent such tampering. Killing the protection leaves the malware free to install and execute the ransomware uninterrupted.”

Organisations can prevent being affected by such an attack using a three-pronged approach.

  • First, since today’s ransomware attacks use multiple techniques and tactics, defenders need to deploy a range of technologies to disrupt as many stages of the attack as possible, integrate the public cloud into their security strategy, and enable important functionality, including tamper protection, in their endpoint security software. If possible, complement this with threat intelligence and professional threat hunting.
  • Second, apply strong security practices like multi-factor authentication, complex passwords, limited access rights, regular patching, and data backups, and lockdown vulnerable remote access services. 
  • Last, but not least, invest, and keep investing in, employee security training.