Ransomware hits healthcare - Vulnerable Gigabyte drivers

Hunt Hypothesis

The hunt hypothesis detects adversaries using vulnerable Gigabyte drivers exploited by RobbinHood ransomware to disable security tools, enabling lateral movement and data encryption. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate ransomware attacks before they encrypt critical healthcare data.

KQL Query

DeviceFileEvents 
| where Timestamp > ago(7d) 
| where SHA1 in('0b15b5cc64caf0c6ad9bd759eb35383b1f718edf3d7ab4cd912d0d8c1826edf8', 
'31f4cfb4c71da44120752721103a16512444c13c2ac2d857a7e6f13cb679b427')

Analytic Rule Definition

id: 6eade795-7040-48eb-aae7-3f75bf7fad2e
name: Ransomware hits healthcare - Vulnerable Gigabyte drivers
description: |
  Locate vulnerable Gigabyte drivers used by RobbinHood ransomware to turn off security tools.
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
  dataTypes:
  - DeviceFileEvents
query: |
  DeviceFileEvents 
  | where Timestamp > ago(7d) 
  | where SHA1 in('0b15b5cc64caf0c6ad9bd759eb35383b1f718edf3d7ab4cd912d0d8c1826edf8', 
  '31f4cfb4c71da44120752721103a16512444c13c2ac2d857a7e6f13cb679b427')

Required Data Sources

Sentinel Table	Notes
`DeviceFileEvents`	Ensure this data connector is enabled

References

[Source Query](https://github.com/Azure/Azure-Sentinel/blob/main/Hunting Queries/Microsoft 365 Defender/Campaigns/Ransomware hits healthcare - Vulnerable Gigabyte drivers.yaml)

False Positive Guidance

Scenario: System Maintenance Task Updating Gigabyte Drivers
Description: A scheduled task runs to update Gigabyte drivers as part of routine system maintenance.
Filter/Exclusion: process.name != "UpdateDriver" OR process.name != "GWService.exe"
Scenario: IT Admin Manually Installing Gigabyte Driver via Command Line
Description: An administrator uses the command line to install a Gigabyte driver during a hardware upgrade.
Filter/Exclusion: process.name != "setupldr.exe" OR user.name != "ITAdmin"
Scenario: Automated Patch Management Tool Installing Vulnerable Driver
Description: A patch management tool like Microsoft System Center Configuration Manager (SCCM) installs a Gigabyte driver as part of a patch update.
Filter/Exclusion: process.name != "ccmexec.exe" OR process.name != "sccm_patch_installer.exe"
Scenario: Virtual Machine Guest Tools Installation
Description: A virtual machine (VM) guest tools package includes a Gigabyte driver that is installed during VM setup or configuration.
Filter/Exclusion: process.name != "vmtoolsd.exe" OR process.name != "vmware-tools" OR host.type != "VM"
Scenario: Driver Rollback or Reinstallation During Troubleshooting
Description: A support technician rolls back or reinstalls a Gigabyte driver to resolve a hardware-related issue.
Filter/Exclusion: process.name != "devcon.exe" OR process.name != "DriverStore" OR user.name != "SupportTech"