Sophos investigates RobbinHood ransomware attacks in which cybercriminals use a digitally signed hardware driver to delete security products from computers.
Sophos, a cybersecurity software provider, is investigating RobbinHood ransomware attacks in which cybercriminals use a digitally signed hardware driver to delete endpoint security products from computers. The RobbinHood attacks allow cybercriminals to subvert a setting in kernel memory on Windows 7, Windows 8 and Windows 10 to bypass endpoint protection software and encrypt files.
During the RobbinHood attacks, cybercriminals use a gigabyte driver as a wedge that allows them to load a second, unsigned driver into Windows, Sophos stated. This driver then destroys endpoint security product processes and files that enable the ransomware to attack without interference.
RobbinHood previously was used in last year’s Baltimore ransomware attack. Cybercriminals deployed the malware across Baltimore’s servers and government applications and demanded about $100,000 in Bitcoin to unlock hijacked files.
How to Guard Against RobbinHood Attacks
Sophos recommends a three-prong approach to guard against RobbinHood attacks:
- Use Threat Protection Tools to Disrupt the Entire Attack Chain: Deploy a wide range of security technologies to combat cyberattacks at different stages.
- Leverage Security Best Practices: Use multi-factor authentication (MFA), manage access to databases and systems and deploy other security best practices.
- Provide Training: Teach employees about RobbinHood and other types of cyberattacks and ensure that they understand how to identify these attacks in their early stages.
MSPs and MSSPs also can help organizations combat RobbinHood ransomware attacks and other cyberattacks. To do so, MSPs and MSSPs can partner with organizations, evaluate their security posture and offer security services and solutions to help them minimize risk.