RobbinHood ransomware comes with both a vulnerable driver and a malicious driver that has the sole purpose of taking out defences.
According to Mark Loman, the director of engineering at Sophos, this malicious driver contains only code to kill, nothing else. So even if users have fully patched their Windows systems with no known vulnerabilities, the ransomware provides attackers with one that lets them destroy their defences as a precursor to the attack.
“Our analysis of the two ransomware attacks shows how rapidly and dangerously the threat continues to evolve. This is the first time we have seen ransomware bring its own legitimately signed, albeit vulnerable, third-party driver to take control of a device and use that to disable the installed security software, bypassing the features specially designed to prevent such tampering. Killing the protection leaves the malware free to install and execute the ransomware uninterrupted”. Says Loman.
As per SophosLabs Research, RobinHood ransomware family perform this strategy to encrypt files without being hindered by endpoint protection software. They successfully subvert a setting in kernel memory on Windows 7, Windows 8 and Windows 10.
Sophos recommends a three-pronged approach for organizations to prevent being affected by such an attack. First, since today’s ransomware attacks use multiple techniques and tactics, defenders need to deploy a range of technologies to disrupt as many stages of the attack as possible, integrate the public cloud into their security strategy, and enable important functionality, including tamper protection, in their endpoint security software. If possible, complement this with threat intelligence and professional threat hunting.
Second, they should apply strong security practices like multi-factor authentication, complex passwords, limited access rights, regular patching, and data backups, and lock down vulnerable remote access services. Last, but not least, invest, and keep investing in employee security training.
Security researchers observed the RobbinHood ransomware family abusing a vulnerable driver to delete security products before initiating its encryption routine
Write to us firstname.lastname@example.org