The malware consists of several files embedded in executable STEEL.EXE<\/strong>. Here\u2019s an overview of the attack plan based on a research report from SophosLabs<\/a>:<\/p>\n\n\n\n 1. STEEL.EXE<\/strong> is extracted and plants file ROBNR.EXE<\/strong> onto the disk, which then installs the legitimate Gigabyte driver (GDRV.SYS<\/strong>) along with the malicious driver (RBNL.SYS<\/strong>).<\/p>\n\n\n\n 2. Once installed, the GDRV.SYS<\/strong> is able to temporarily disable the driver signature enforcement mechanism due to a vulnerability that allows the driver to read and write to any part of the computer memory. With signature enforcement disabled, the malicious driver can then be loaded into kernel space.<\/p>\n\n\n\n 3. Once the malicious driver is up and running, the ROBNR.EXE<\/strong> process exits and the PLIST.TXT<\/strong> file (a list of all applications to kill, often tailored to the target network), is processed. The malicious driver begins terminating security processes and deleting associated files on the list, using various deletion methods run consecutively.<\/p>\n\n\n\n 4. When the STEEL.EXE<\/strong> has completed this process, it exits, and RobbinHood can encrypt network files unimpeded by security software.<\/p>\n\n\n\n The following image from a Windows Security blog<\/a> illustrates the process:<\/p>\n\n\n\n In the case of RobbinHood ransomware, privilege escalation is the steppingstone to the main attack; in order to install its malicious driver, it first needs elevated powers. This can start by gaining access to an already privileged account, or by accessing a less-privileged account and ascending the ranks (vertical privilege escalation) to the necessary level from which point the main goal can be achieved.<\/p>\n\n\n\n If you can prevent the surface area of attack by managing privileged users, and promptly detect attempts (or even success) at privilege escalation, you have a much better chance at stopping the \u2018main event\u2019 from eventuating. Doing this essentially removes the privileged-account foothold RobbinHood needs to deploy and run STEEL.EXE<\/strong>.<\/p>\n\n\n\n As a Privileged Access Management (PAM) system, Admin By Request does just that by limiting access rights of users.<\/p>\n\n\n\n Admin By Request adopts:<\/p>\n\n\n\n In every business\u2019 computer network, there will be accounts and users that require higher privileges than others. But that does not have to mean giving some accounts privileged access and free rein all the time.<\/p>\n\n\n\n With Admin By Request\u2019s Sub Settings, you can implement POLP<\/strong> by creating different access rules for specialised users and groups, depending on their needs. This means you can impose strict access controls for all but your two IT techs if you so choose, lessening the potential for malware like RobbinHood to gain access to an already privileged account.<\/p>\n\n\n\n JIT<\/strong> elevation safeguards are in place with Admin By Request providing users with four ways to perform tasks<\/a> that require elevated privileges.<\/p>\n\n\n\n Three of these four methods require the user to request permission or obtain a PIN in order to gain administrator access – with Admin By Request\u2019s auditlog recording and displaying all administrator activity that takes place during these requests.<\/p>\n\n\n\n Auditing user activity in this way can prevent ransomware attacks like RobbinHood (in which escalation is instrumental to staging the attack), as it allows you to detect possible privilege escalation as it occurs and take appropriate action.<\/p>\n\n\n\n To have the power to install system resources such as drivers (which RobbinHood ransomware relies on to perform encryption unhindered), a user would need full local admin rights of their system.<\/p>\n\n\n\n In Admin By Request, this would require the user to make a Full Session Elevation request. Again, gaining this type of access could require a reason and\/or approval (depending on your settings in Admin By Request), and all installs and uninstalls are recorded with the details of the elevated session in the auditlog. This makes it a much harder task to climb up the ranks of privilege unnoticed.<\/p>\n\n\n\n Disrupting just one of RobbinHood ransomware\u2019s many processes can thwart its plan entirely \u2013 removing the foothold of privileged accounts and privilege escalation with Admin By Request does just that.<\/p>\n\n\n\n There is a operation in RobbinHood\u2019s execution that runs multiple deletion-processes sequentially to ensure everything on its PLIST.TXT<\/strong> list is deleted. Better to be safe than sorry, right?<\/p>\n\n\n\n To beat this ransomware at its own game, you need to take a leaf out of Sherwood Forest.<\/p>\n\n\n\n Admin By Request does this by integrating a PAM solution with Opswat MetaDefender\u2019s multi-engine malware scanning tool<\/a>, the MetaDefender Cloud<\/a>.<\/p>\n\n\n\n This security tool scans files with more than 35 anti-malware scanning engines. To give you an idea of how effective this makes Admin By Request\u00a0at keeping your system safe from malware, here are some numbers from\u00a0Opswat’s Detection Efficacy Overview<\/a>:<\/p>\n\n\n\n That raises malware detection rates to almost 100%.<\/p>\n\n\n\n Like RobbinHood, today\u2019s ransomware attacks use a range of tactics and often need to find success at every step to achieve their goal. The best way to combat this is to disrupt as many parts of the attack chain as possible.<\/p>\n\n\n\n\n
![\"\"](\"\/wp-content\/uploads\/2022\/10\/image-4.png\")
<\/figure>\n\n\n\nJust in Time to Stop (and Audit) the Robbery<\/h2>\n\n\n\n
\n
\n
You Need More than One Sheriff to Stop RobbinHood<\/h2>\n\n\n\n
\n
\n
\n
\n
Conclusion<\/h2>\n\n\n\n