RobbinHood Ransomware attackers are exploiting a vulnerable GIGABYTE driver to install a malicious and unsigned driver into Windows that is used to terminate antivirus and security software. The attackers are using a custom antivirus killing package that is pushed out to workstations to prepare the payload for encryption. The attack starts with the operators deploying an executable named Steel.exe to exploit the CORE-2018-0007 vulnerability in the GIBYTE gdrv.sys driver. Steel.EXE extracts the ROBNREXE executable to the C:WindowsTemp folder.
Source: https://www.bleepingcomputer.com/news/security/ransomware-exploits-gigabyte-driver-to-kill-av-processes/

