HQ/EMEAFind out how we can help your business
The BlackCat ransomware group has been leveraging compromised Windows kernel drivers to bypass detections from security solutions. The threat actors utilised the drivers to propagate the upgraded version of the POORTRY malware. The malware campaign became a prevalent ransomware attack last year.
Based on reports, the POORTRY malware is a Windows kernel driver signed through stolen keys of legitimate Windows Hardware Developer Program accounts. Moreover, the UNC3944 hacker group previously used the same driver to terminate the security software of targeted devices earlier this year.
The attackers utilised an improvised POORTRY malware to deactivate security software solutions.
According to investigations, the threat group utilised the Windows Kernel drivers to spread POORTRY malware since it has the highest privileges that could terminate any processes. The attackers discovered that the detection rate by the security software solutions for this malware was very significant due to the publicity it garnered after the revoked code-signing keys when the threat actors tried to use POORTRY.
The BlackCat ransomware group modified the POORTRY kernel driver. The group leveraged the upgraded driver to enable themselves to elevate their privileges on infected devices and terminate existing security protocols.
The attack process includes a signed driver (ktgn[.]sys) delivered by the attackers onto the victim’s filesystem at the temp folder and loaded by a user mode program dubbed tjr[.]exe. The driver still loads on 64-bit Windows systems by adopting the enforced signing policies.
Once a targeted user communicates with this driver, the exposed Device Input and Output Control codes and Kill Process will stop running security software processes on the infected system.
The threat actors used a couple of commands for Process and threat notification callbacks that did not function. This detail suggests that the malicious driver for the attack is in the development stage and needs further enhancements.
System admins should follow the publicly available IOCs for the current threat. Furthermore, security administrators should add the malicious drivers of the ransomware group to their Windows driver blocklist. Lastly, everyone should enable their Driver Signature Enforcement on Windows.
