RobbinHood Ransomware – How does RobbinHood work?

robbinhood ransomware

Ransomware typically uses a vulnerability in the web browser or operating system to infect the victim’s target system. However, there are always exceptions where malware looks for a rather atypical “gateway”. So also in the case of the ransomware RobbinHood.

Said Ransomware uses a driver from the Taiwanese manufacturer Gigabyte as the entry point into the system. The reason for the gap is a certificate that should have long since been declared invalid by the certification body. 

However, the driver concerned is by no means the current version. The software is the driver with the vulnerability CVE-2018-19320. However, this does not mean that you are protected against the ransomware if you have a current driver from Gigabyte. The “RobbinHood” malware automatically installs the aforementioned software on the infected computer in order to then exploit the driver’s weak point.

First, “RobbinHood” gains access to the system kernel and deactivates the signature verification of the operating system. The malware then deactivates the virus scanner and begins to encrypt the hard drives in order to then request a ransom for the decryption of the data. 

In addition, all users of the Gigabyte App Center up to and including v1.05.21, the Aorus Graphics Engine up to v1.57, the Xtreme Gaming Engine up to v1.26 and the OC Guru II v2.08 must install an appropriate update. As long as the manufacturer does not invalidate the corresponding certificate, the ransomware remains active. “RobbinHood” is therefore still able to use the driver as a tool to encrypt the target system and then blackmail the owner.

Related topics