Ransomware borrows vulnerable driver to remove security software: SOPHOS
“RobbinHood ransomware comes with both a vulnerable driver and a malicious driver that has the sole purpose to take out defenses. The malicious driver contains only code to kill, nothing else. So even if you have a fully patched Windows computer with no known vulnerabilities, the ransomware provides the attackers with one that lets them destroy your defenses as a precursor to the ransomware attack.
“Our analysis of the two ransomware attacks shows how rapidly and dangerously the threat continues to evolve. This is the first time we have seen ransomware bring its own legitimately signed, albeit vulnerable, third-party driver to take control of a device and use that to disable the installed security software, bypassing the features specially designed to prevent such tampering. Killing the protection leaves the malware free to install and execute the ransomware uninterrupted.
Key Heiglights by Mark Loman, director of engineering at Sophos on RobbinHood ransomware
This is the first time we have observed ransomware applying this process
It highlights how the ransomware threat continues to evolve and remain dangerous. In this instance, even fully patched computers are at risk of compromise
Security strategies need to adapt accordingly, involving many different levels to catch each stage of an attack – and ideally include the human element of managed threat detection and response
“What can organizations do to prevent being affected by such an attack? We recommend a three-pronged approach. First, since today’s ransomware attacks use multiple techniques and tactics, defenders need to deploy a range of technologies to disrupt as many stages of the attack as possible, integrate the public cloud into their security strategy, and enable important functionality, including tamper protection, in their endpoint security software. If possible, complement this with threat intelligence and professional threat hunting.
“Second, apply strong security practices like multi-factor authentication, complex passwords, limited access rights, regular patching, and data backups, and lock down vulnerable remote access services. Last, but not least, invest, and keep investing in employee security training.”
See What’s Next in Tech With the Fast Forward Newsletter
Tweets From @varindiamag
Nothing to see here - yet
When they Tweet, their Tweets will show up here.