Ransomware Attack through Microsoft Signed Drivers
Tony Seno Hartono
Strategic Technology Advisor | AI, Cloud & Cybersecurity Expert | Digital Transformation Leader Driving National Innovation & Good Governance | 34+ Years Experience
Sometimes the plan doesn't work out as anticipated.
To improve security, Microsoft set up a system where developers must get their kernel-mode hardware drivers signed by Microsoft's Windows Hardware Developer Program. To do this, developers have to buy a special certificate and Microsoft checks their drivers to make sure they are safe. This makes code signed by Microsoft very reliable, which is why some people with bad intentions also want to sign their drivers in this way.
What's the weakness of this procedure ?
Rogue developers could submit malicious drivers which Microsoft mistakenly approves. Once approved, these drivers can be used to smuggle malware into the system, similar to what the Cuba ransomware gang did to their victims when setting up the ransomware.
So be vigilant, everyone! Expect the best, but be prepared for the worst. Have you backup your system regularly (preferably using a different OS such as Linux)??