Hardware drivers approved by Microsoft used in ransomware attacks

Thought you could trust Microsoft-approved drivers? Think again

When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.

Researchers atSophoshave identified that vulnerabilities inMicrosoft-approved hardware drivers have been exploited inransomwareattacks by a group known as Cuba.

A pair of files were found on compromised machines that Sophos says “work together to terminate processes or services used by a variety ofendpoint securityproduct vendors.”

Claiming to have “kicked the attackers off the systems” before things escalated, the company can’t be sure what sort of attacks (if any) may have taken place, though some evidence points at a variant of malware known as ‘BURNTCIGAR’.

Ransomware with Microsoft drivers

Sophos informed Microsoft of its findings, which later published anadvisoryas part of its monthly Patch Tuesday release.

The tech giant promised to have completed an investigation which found that “activity was limited to the abuse of several developer program accounts and that no compromise has been identified.”

Stay safe with the best firewall choices around>Ransomware is being used as a precursor to physical war>Rackspace warns of phishing risks following ransomware attack

Microsoft has also suspended the partners’ seller accounts in an effort to protect users in the meantime.

A security update has been released that will revoke the certificate for impacted files, and blocking detections now forms part of the OS (when using Microsoft Defender 1.377.987.0 or newer).

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

As ever, the company is urging its customers to install updates wherever applicable, including to theoperating systemand to installed antivirus and endpoint protection software. Attacking the target’s security software is usually the precursor to more impactful steps, like deploying ransomware.

More generally, Sophos has noticed a trend that sees threat actors “moving up the trust pyramid, attempting to use increasingly more well-trusted cryptographic keys to digitally sign their drivers.”

With several years’ experience freelancing in tech and automotive circles, Craig’s specific interests lie in technology that is designed to better our lives, including AI and ML, productivity aids, and smart fitness. He is also passionate about cars and the decarbonisation of personal transportation. As an avid bargain-hunter, you can be sure that any deal Craig finds is top value!

This new malware utilizes a rare programming language to evade traditional detection methods

A new form of macOS malware is being used by devious North Korean hackers

Arcane season 2 confirms the hit series isn’t just one of the best Netflix shows ever made – it’s an animated legend that’ll stand the test of time