Scam of the Week: RobbinHood Ransomware Employs Sneaky New Tactic to Evade Detection

The infamous RobbinHood ransomware has found a new way to worm its way into corporate networks by using a legitimate hardware driver to delete security products and infect computer systems.

By exploiting a known vulnerability that exists in a driver produced by Taiwanese firm Gigabyte, hackers have been able to gain backdoor access to computers running on Windows 7, 8 and 10 and deploy RobbinHood ransomware.

The ransomware can then deactivate any anti-virus software running on the system, allowing hackers to take control of the machine and encrypt the user’s files. RobbinHood effectively tricks the anti-virus software into thinking it’s a trusted program.

The new attack method was uncovered by security researchers at Sophos, who noted how rapidly the ransomware is evolving: “This is the first time we have seen ransomware bring its own legitimately signed, albeit vulnerable, third-party driver to take control of a device and use that to disable the installed security software, bypassing the features specially designed to prevent such tampering. Killing the protection leaves the malware free to install and execute the ransomware uninterrupted.”

RobbinHood Ransom Note (Source: Sophos)

Gigabyte initially dismissed claims that its driver was vulnerable to attack; however, due to mounting public pressure it acknowledged the flaw but rather than issue a patch to fix the vulnerability, the company discontinued support for the driver. This lapse in judgement has allowed hackers to continue infecting devices that are still running the unpatched driver.

RobbinHood ransomware has been growing in prominence and was responsible for bringing the US city of Baltimore to a standstill in May 2019. Hackers used the ransomware to infect and lock down over 10,000 government computers, causing widespread disruption throughout the city.

The systems were out of service for nearly a month, and although the ransom note demanded $76,000 (13 Bitcoin) to restore access, the attack ended up costing the city more than $18 million in damages.

Ransomware continues to pose a significant threat to all organisations and there’s no doubt that attacks are becoming more sophisticated, targeted and costly. According to a recent report, ransomware attacks against businesses have increased 363% year over year.

The US has been hit particularly hard, and in 2019, ransomware attacks impacted 966 government agencies, educational establishments and healthcare providers at a potential cost in excess of $7.5 billion.

To defend against evolving ransomware threats, organisations must have robust security defences in place to ensure that all potential access points are protected.

How to defend against RobbinHood ransomware

  • Regular Patching – Security software should be regularly patched to prevent hackers from gaining access to networks through vulnerabilities in older and outdated systems. Patches are essential in keeping machines up to date, stable, and safe from malware and other threats.
  • Backup Data – In addition to live backups, organisations should also have off-site and off-line backups. Often, when hackers infiltrate a network they will try and encrypt and scramble live back-ups to ensure that organisations have no choice but to pay a ransom. Creating several backups will ensure that organisations can recover quickly in the event of a ransomware infection.
  • Enable Two-Factor AuthenticationTwo-factor authentication adds an additional layer of security to the authentication process. Any time a user logs in, they will receive a different one-off code which protects against password cracking attempts.
  • Use Strong and Complex Passwords – A lot of ransomware infections are a result of weak passwords that can be easily guessed. Users should create strong passwords that are difficult to crack. For extra security, a passphrase can be created. The phrase should be around 15 characters long. The first letter of each word will form the basis of your password and letters can be substituted with numbers and symbols to add further protection.
  • Follow good security practices to minimise the risk of infection – Avoid clicking on links or downloading attachments from unknown sources.
  • Security Awareness Training – Employees should receive regular security awareness training to educate them about the different types of cyber threats and what tactics will be used to target them.
  • Develop an Incident Response Plan – Every business should have a secure and reliable incident response plan in place. This will address the full range of incidents that could occur and set out appropriate responses.
  • Limited Access – The use of system administration tools should be limited to IT personnel or approved employees who need access.

MetaPhish provides a powerful defence against phishing and ransomware attacks by training employees how to identify and respond appropriately to these threats. Get in touch for further information on how we can help protect your business.

about the author

sharing is caring

Share on linkedin
Share on twitter
Share on facebook

you might enjoy reading these