{
	"id": "1e33a6b9-7ea3-441c-a930-f6f430df861e",
	"created_at": "2026-04-06T00:06:36.274723Z",
	"updated_at": "2026-04-10T13:12:10.677037Z",
	"deleted_at": null,
	"sha1_hash": "a12f58bfea72f3fc5b8f59c9d1aa64501e314e80",
	"title": "Ransomware Exploits GIGABYTE Driver to Kill AV Processes",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 877792,
	"plain_text": "Ransomware Exploits GIGABYTE Driver to Kill AV Processes\r\nBy Lawrence Abrams\r\nPublished: 2020-02-06 · Archived: 2026-04-05 17:16:00 UTC\r\nThe attackers behind the RobbinHood Ransomware are exploiting a vulnerable GIGABYTE driver to install a malicious and\r\nunsigned driver into Windows that is used to terminate antivirus and security software.\r\nWhen performing a network-wide compromise, ransomware attackers need to push out a ransomware executable as quickly\r\nas possible and to as many systems as they can to avoid being detected.\r\nOne protection that can get in their way of a successful attack, though, is antivirus software running on a workstation that\r\nremoves the ransomware executable before it can be executed.\r\nhttps://www.bleepingcomputer.com/news/security/ransomware-exploits-gigabyte-driver-to-kill-av-processes/\r\nPage 1 of 5\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/ransomware-exploits-gigabyte-driver-to-kill-av-processes/\r\nPage 2 of 5\n\nVisit Advertiser websiteGO TO PAGE\r\nTo overcome this hurdle, the operators behind the RobbinHood Ransomware are utilizing a custom antivirus killing package\r\nthat is pushed out to workstations to prepare it for encryption.\r\nUsing trusted drivers to terminate security processes\r\nMost Windows security software processes are protected from being terminated by regular processes and can only be\r\nterminated by Kernel drivers, which have the highest permission possible in Windows.\r\nTo better secure Windows, Microsoft added a driver signature enforcement policy that prevents the installation of Windows\r\nKernel drivers unless they have been cosigned by Microsoft.\r\nThis prevents attackers and malware from installing their malicious drivers that can gain kernel-level privileges without first\r\nbeing reviewed by Microsoft.\r\nIn a new report, Sophos researchers have seen the RobbinHood attackers installing a known vulnerable GIGABYTE driver\r\nthat has been cosigned by Microsoft and exploiting its vulnerability to disable Microsoft's driver signature enforcement\r\nfeature.\r\nOnce disabled, they can install a custom malicious kernel driver that is used to terminate antivirus and security software\r\nprocesses.\r\n\"In this attack scenario, the criminals have used the Gigabyte driver as a wedge so they could load a second, unsigned driver\r\ninto Windows,\" Sophos' report explains. \"This second driver then goes to great lengths to kill processes and files belonging\r\nto endpoint security products, bypassing tamper protection, to enable the ransomware to attack without interference.\"\r\nThe attack starts with the operators deploying an executable named Steel.exe to exploit the CORE-2018-0007 vulnerability\r\nin the GIGABYTE gdrv.sys driver.\r\nWhen executed, Steel.exe extracts the ROBNR.EXE executable to the C:\\Windows\\Temp folder. This will cause two drivers\r\nto be extracted to the folder; the vulnerable GIGABYTE gdrv.sys driver and the malicious RobbinHood driver called\r\nrbnl.sys.\r\nDrivers in the Windows Temp Folder\r\nROBNR will now install the GIGABYTE driver and exploit it to disable Windows driver signature enforcement.\r\nhttps://www.bleepingcomputer.com/news/security/ransomware-exploits-gigabyte-driver-to-kill-av-processes/\r\nPage 3 of 5\n\nInstalled vulnerable GIGABYTE gdrv.sys driver\r\nOnce driver signature enforcement is disabled, ROBNR can now install the malicious rbnl.sys driver, which will be used by\r\nSteel.exe to terminate and delete antivirus and security software.\r\nInstalled RobbinHood driver that kills processes\r\nThe Steel.exe program will read the list of processes that should be terminated and services whose files should be deleted\r\nfrom a file called PLIST.TXT. It will then look for each of the listed processes or files and either terminate or delete them.\r\nCode used by the driver to delete files\r\nSource: Sophos\r\nAt this time, Sophos has told BleepingComputer that they have been unable to gain access to the PLIST.TXT file and do not\r\nknow what processes and services are being targeted.\r\nhttps://www.bleepingcomputer.com/news/security/ransomware-exploits-gigabyte-driver-to-kill-av-processes/\r\nPage 4 of 5\n\nWhen Steel.exe has finished terminating security software, the ransomware will now be able to encrypt a computer without\r\nfear of being detected.\r\nWith the high payouts of network-wide ransomware attacks, attackers are investing a lot of resources into new and\r\ninnovative methods to bypass security software and protections in Windows.\r\nAs these attacks cannot take place without a network first being compromised, the best way to protect yourself is to make\r\nthe network less vulnerable.\r\nThis includes performing phishing recognition training, making sure security updates are installed, and removing access to\r\nInternet exposed services like Remote Desktop Services.\r\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/ransomware-exploits-gigabyte-driver-to-kill-av-processes/\r\nhttps://www.bleepingcomputer.com/news/security/ransomware-exploits-gigabyte-driver-to-kill-av-processes/\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.bleepingcomputer.com/news/security/ransomware-exploits-gigabyte-driver-to-kill-av-processes/"
	],
	"report_names": [
		"ransomware-exploits-gigabyte-driver-to-kill-av-processes"
	],
	"threat_actors": [],
	"ts_created_at": 1775433996,
	"ts_updated_at": 1775826730,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/a12f58bfea72f3fc5b8f59c9d1aa64501e314e80.pdf",
		"text": "https://archive.orkl.eu/a12f58bfea72f3fc5b8f59c9d1aa64501e314e80.txt",
		"img": "https://archive.orkl.eu/a12f58bfea72f3fc5b8f59c9d1aa64501e314e80.jpg"
	}
}