A no longer used Gigabyte driver has been discovered, with a digital signature, which can still be used to fully encrypt the files on a computer. Cybersecurity firm Sophos investigated, and concluded that a workaround it was indeed possible.
Ransomware RobbinHood would use the outdated driver with digital signature to disable Windows security measures around digital signatures of software because of the vulnerability in the driver. The ransomware could then install its own unsigned software and files would be encrypted.
Signature with little effect
The main problem that Sophos wants to address with this is that there are drivers available with digital signature, but also with significant vulnerabilities that have not been fixed. Not only has this not been done (for example, Gigabyte chose to just throw the driver in the trash), the company behind the issuance of digital signatures (Verisign) has also not revoked the certificate.
According to Sophos, this is the first time that ransomware can be distributed using a legitimate driver. It also points out that there are other drivers that also contain similar vulnerabilities but also carry the digital signature. Microsoft itself has not yet said anything about the newly discovered vulnerabilities, but in general it uses the same guideline: certificates are only revoked if the certificate itself has a vulnerability, as otherwise software without vulnerabilities but with the same digital signatures will also be excluded.