Light Dark
February 10, 2020 By David Bisson 2 min read

Security researchers observed the RobbinHood ransomware family abusing a vulnerable driver to delete security products before initiating its encryption routine.

In its analysis of two RobbinHood ransomware attacks, Sophos spotted the threat abusing CVE-2018-19320 in a signed Gigabyte driver to circumvent security products on an infected machine. It began this functionality by running its STEEL.exe application. This application was responsible for installing both the signed Gigabyte driver and an unsigned malicious kernel driver capable of killing processes associated with security products.

Rather than purchase a digital certificate for its own driver, the ransomware exploited the privilege escalation vulnerability found in the Gigabyte driver to temporarily disable driver signature enforcement in Windows. This technique allowed the ransomware to load its unsigned driver and use it to kill security processes listed in a PLIST.TXT file. Having disabled those processes, the threat then initiated its encryption routine.

According to Sophos, Gigabyte discontinued using its vulnerable driver some time ago. However, as of this post, the driver was still available, and Verisign had not revoked the certificate used for the driver.

The Ongoing Evasion Efforts of Ransomware Families

RobbinHood ransomware isn’t the first crypto-malware family to try to evade detection by security products. In September 2019, Bleeping Computer spotted an update in the Nemty ransomware family that allowed new samples to kill security processes and services.

In November 2019, Bleeping Computer discovered a sample of Clop ransomware attempting to disable Windows Defender as well as remove both Microsoft Security Essentials and Malwarebytes’ standalone anti-ransomware program. About a month later, Sophos uncovered a sample of Snatch ransomware booting infected computers into Safe Mode in order to bypass protection.

How to Defend Against RobbinHood Ransomware

Security professionals can help their organizations defend against a RobbinHood ransomware attack by developing an incident response plan and practicing it on a regular basis. This will help the organization respond more quickly in the event of a ransomware infection. Companies should also consider conducting cyber resiliency workshops to evaluate the strength of their defenses, both technological and human-based, in the face of a ransomware attack.

 |  |  |  |  |  |  |  | 
David Bisson
Contributing Editor

More from

December 23, 2024

FYSA – Adobe Cold Fusion Path Traversal Vulnerability

2 min read - Summary Adobe has released a security bulletin (APSB24-107) addressing an arbitrary file system read vulnerability in ColdFusion, a web application server. The vulnerability, identified as CVE-2024-53961, can be exploited to read arbitrary files on the system, potentially leading to unauthorized access and data exposure. Threat Topography Threat Type: Arbitrary File System Read Industries Impacted: Technology, Software, and Web Development Geolocation: Global Environment Impact: Web servers running ColdFusion 2021 and 2023 are vulnerable Overview X-Force Incident Command is monitoring the disclosure…

November 22, 2024

What does resilience in the cyber world look like in 2025 and beyond?

6 min read -  Back in 2021, we ran a series called “A Journey in Organizational Resilience.” These issues of this series remain applicable today and, in many cases, are more important than ever, given the rapid changes of the last few years. But the term "resilience" can be difficult to define, and when we define it, we may limit its scope, missing the big picture.In the age of generative artificial intelligence (gen AI), the prevalence of breach data from infostealers and the near-constant…

November 21, 2024

Airplane cybersecurity: Past, present, future

4 min read - With most aviation processes now digitized, airlines and the aviation industry as a whole must prioritize cybersecurity. If a cyber criminal launches an attack that affects a system involved in aviation — either an airline’s system or a third-party vendor — the entire process, from safety to passenger comfort, may be impacted.To improve security in the aviation industry, the FAA recently proposed new rules to tighten cybersecurity on airplanes. These rules would “protect the equipment, systems and networks of transport…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2025 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature