Ransomware installs Gigabyte driver
to kill antivirus products
to kill antivirus products
It has been reported that a ransomware gang, those that encrypt your sensitive stuff and ask you for a fee to decrypt it (if they ever do it), has found another method to vulnerate your PC if your motherboard chipset belongs to Gigabyte. Yes, it deactivates your Antivirus in no time.
https://www.zdnet.com/article/ransomware...-products/
ZDNet wrote Wrote:In a report published late last night, Sophos described this new technique as follows:
Per Sophos, this antivirus bypassing technique works on Windows 7, Windows 8, and Windows 10.
- Ransomware gang gets a foothold on a victim's network.
- Hackers install legitimate Gigabyte kernel driver GDRV.SYS.
- Hackers exploit a vulnerability in this legitimate driver to gain kernel access.
- Attackers use the kernel access to temporarily disable the Windows OS driver signature enforcement.
- Hackers install a malicious kernel driver named RBNL.SYS.
- Attackers use this driver to disable or stop antivirus and other security products running on an infected host.
- Hackers execute the RobbinHood ransomware and encrypt the victim's files.
Basically what it says is that they manage to connect to your home network (by hacking your WiFi or your router?) and then place a driver that impersonates the usual Gigabyte driver. Nope, it's not like they care about your security. They just know that driver so well as to send a few commands to force it to do their bidding! They deactivate Windows features and then it's free to install the real malware that might steal all of your precious moments captured with your camera or all those valuable documents and spreadsheets you had to submit by the end of the week. Antivirus get some serious sleep and after a while you'd get a request for making a payment. Usually they keep asking for more and more money for nothing in return.
ZDNet wrote Wrote:For this debacle, two parties are at fault -- first Gigabyte, and then Verisign.
Gigabyte's fault resides in its unprofessional manner in which it dealt with the vulnerability report for the affected driver. Instead of acknowledging the issue and releasing a patch, Gigabyte claimed its products were not affected.
Now you know how exactly you've ended up fearing when that massive and terrible data loss might ever happen.
ZDNet wrote Wrote:The company's downright refusal to recognize the vulnerability led the researchers who found the bug to publish public details about this bug, along with proof-of-concept code to reproduce the vulnerability. This public proof-of-concept code gave attackers a roadmap to exploiting the Gigabyte driver.
When public pressure was put on the company to fix the driver, Gigabyte instead chose to discontinue it, rather than releasing a patch.
Well, usually whenever a programmer demonstrates that some piece of code is vulnerable, the companies involved in that mess do something to remedy it... except for Gigabyte!
Of course, hackers like those living in North Korea or Iran or probably China as well are now fully aware of this epic fail and can now target as many affected Gigabyte based PC's as possible.
Verisign, a company in charge of driver security certificates, could have invalidated the driver's certificate as a way to tell Windows it's unsafe... but they just ignored the issue as well.
Keep in mind there are other variants of this kind of cyber attack that may even reboot your PC to enter safe mode and make sure you can't run any antivirus software!
What I'd usually recommend you here would be to do any of the following:
- Ditch Windows altogether and keep using Linux
- Install Linux in a separate harddisk or disk partition and then install any antivirus available for Linux that you can run to get rid of any malicious software found in your Windows partition(s).
The following section applies only to other variants of this cyberattack
Sadly Houston, we got a problem here. AFAIK there's no antivirus that can check if your motherboard chips got compromised. You'd need to call a technician to flash your compromised chip, hoping it won't render your motherboard useless in case the flashing fails or keeps failing. If carefully done, it should usually work... Still, I can't guarantee that will be more than enough to get rid of the menace.
"For God has not destined us for wrath, but for obtaining salvation through our Lord Jesus Christ," 1 Thessalonians 5:9
Maranatha!
The Internet might be either your friend or enemy. It just depends on whether or not she has a bad hair day.
My Original Stories (available in English and Spanish)
List of Compiled Binary Executables I have published...
HiddenChest & Roole
Give me a free copy of your completed game if you include at least 3 of my scripts!
Just some scripts I've already published on the board...
KyoGemBoost XP VX & ACE, RandomEnkounters XP, KSkillShop XP, Kolloseum States XP, KEvents XP, KScenario XP & Gosu, KyoPrizeShop XP Mangostan, Kuests XP, KyoDiscounts XP VX, ACE & MV, KChest XP VX & ACE 2016, KTelePort XP, KSkillMax XP & VX & ACE, Gem Roulette XP VX & VX Ace, KRespawnPoint XP, VX & VX Ace, GiveAway XP VX & ACE, Klearance XP VX & ACE, KUnits XP VX, ACE & Gosu 2017, KLevel XP, KRumors XP & ACE, KMonsterPals XP VX & ACE, KStatsRefill XP VX & ACE, KLotto XP VX & ACE, KItemDesc XP & VX, KPocket XP & VX, OpenChest XP VX & ACE
Maranatha!
The Internet might be either your friend or enemy. It just depends on whether or not she has a bad hair day.
My Original Stories (available in English and Spanish)
List of Compiled Binary Executables I have published...
HiddenChest & Roole
Give me a free copy of your completed game if you include at least 3 of my scripts!
Just some scripts I've already published on the board...
KyoGemBoost XP VX & ACE, RandomEnkounters XP, KSkillShop XP, Kolloseum States XP, KEvents XP, KScenario XP & Gosu, KyoPrizeShop XP Mangostan, Kuests XP, KyoDiscounts XP VX, ACE & MV, KChest XP VX & ACE 2016, KTelePort XP, KSkillMax XP & VX & ACE, Gem Roulette XP VX & VX Ace, KRespawnPoint XP, VX & VX Ace, GiveAway XP VX & ACE, Klearance XP VX & ACE, KUnits XP VX, ACE & Gosu 2017, KLevel XP, KRumors XP & ACE, KMonsterPals XP VX & ACE, KStatsRefill XP VX & ACE, KLotto XP VX & ACE, KItemDesc XP & VX, KPocket XP & VX, OpenChest XP VX & ACE