What Is It?

A new RobbinHood ransomware variant makes use of a benign Windows driver file containing a known vulnerability. In this case, the ransomware exploits this vulnerability in order to kill running processes and files of various endpoint security software, allowing the ransomware component to run unhindered.

It’s a good example of the continuous evolution and innovation of malicious attackers in order to ensure their malware is able to evade detection by various security products and infrastructure. Most often, these efforts are directed towards evasion of detection on the endpoint itself. In recent days, numerous reports have referenced research detailed by Sophos into this new Robbinhood ransomware variant, a new example of endpoint detection evasion.

To be effective, Windows security products take steps to ensure their running processes cannot simply be terminated by other processes and users. This can only be achieved by utilizing kernel mode drivers, which execute with the highest privilege levels. To limit the possibility of malicious kernel mode drivers being loaded, 64-bit versions of Windows Microsoft implemented what they call “driver signature enforcement,” which requires that the driver must be digitally signed by both the vendor and Microsoft themselves.

However, a driver created by Gigabyte, the well-known Taiwanese manufacturer of motherboards and graphics cards, contains a known vulnerability (CVE-2018-19320). This vulnerability, along with proof-of-concept code, was made public in late 2018. Despite the time which has passed since this public disclosure, the digital signing certificate had not been revoked, therefore the driver was still considered valid by Windows.

By exploiting the vulnerability, attackers were able to temporarily disable driver signature enforcement and load their own malicious driver. Once the malicious driver is loaded, it uses a hardcoded list of security product processes to terminate and then it deletes the files associated with those process, so they cannot be restarted. At this point, the ransomware payload is free to encrypt files.

The Gigabyte driver used in this attack is not the only driver with a vulnerability of this type, so there is the potential for other attackers to attempt to use a similar technique. Again, this technique attempts to evade endpoint detection and protection mechanisms, BluVector’s real-time, network-based detection efficacy is not impacted.

How Does It Propagate?

The RobbinHood malware does not contain the necessary code to self-propagate. The most common attack vector for ransomware is social engineering, either as malicious attachments or downloads performed by malicious documents.

When/How Did BluVector Detect It?

There are three malicious samples related to this malware, BluVector’s patented Machine Learning Engine (MLE) detected them all. Regression testing has shown these samples would have been detected an average of 56 months prior to their release. The main malicious sample contains the other two malicious samples within itself and this sample would have been detected 75 months prior to its release.