This sneaky ransomware attack attempts to disable your security software

This sneaky ransomware attack attempts to disable your security software


Hands typing on laptop keyboard illuminated with blue backlight.

Image: Getty/Manuel Breva Colmeiro

A major ransomware group is using a new technique that allows attacks to evade detection by security products by exploiting a vulnerability in more than 1,000 drivers used in antivirus software.

The technique was detailed by cybersecurity researchers at Sophos, who saw it being used in attacks by the BlackByte ransomware gang.

BlackByte is a relatively new ransomware operation, but a series of attacks targeting critical infrastructure and other high-profile targets led the FBI to issue a warning about the group.

Also: The Scary Future of the Internet: How Tomorrow’s Technology Will Pose Even Greater Cybersecurity Threats

Now, the BlackByte ransomware gang is apparently using CVE-2019-16098, a vulnerability in RTCorec64.sys, a graphics utility driver for Windows systems. This driver is legitimately used for overclocking by providing extensive control over the graphics card.

However, by exploiting the vulnerability, attackers who have gained access to an authenticated user account that can read and write to arbitrary memory, which could be exploited for elevation of privilege, code execution, or access to information.

Researchers describe this as “Bring your own driver”. If abused, it allows attackers to bypass more than 1,000 drivers used by industry endpoint detection and response (EDR) products – antivirus software.

This tactic is achieved by exploiting the vulnerability to communicate directly with the core of the targeted system and telling it to disable routines used in antivirus software, as well as ETW (Event Tracing for Windows).

“If you think of computers as a fortress, for many EDR vendors, ETW is the guard at the front door. If the guard falls, it leaves the rest of the system extremely vulnerable. And, because ETW is used by so many different vendors, BlackByte’s pool of potential targets for deploying this EDR bypass is enormous,” said Christopher Budd, Head of Threat Research at Sophos.

By abusing this vulnerability, BlackByte can gain the necessary privileges to stealthily gain access to systems, before triggering a ransomware attack and demanding a ransom payment for the decryption key. Like many other ransomware groups, BlackByte also steals victims’ data and threatens to release it if their extortion demands are not met.

Also: The biggest cybercrime threat is also the one no one wants to talk about

To help protect against Bring Your Own Driver attacks, Sophos recommends that drivers are regularly updated so that any known vulnerabilities can be patched. Researchers also recommend blocking drivers that are known to still be exploitable.

“It is critical that defenders monitor new evasion and exploitation techniques and implement mitigation measures before these techniques become widely available in the cybercrime scene,” Budd said.

Ransomware continues to be one of the biggest cybersecurity issues facing organizations today. Additional steps organizations can take to protect against ransomware and other malware attacks include applying timely security patches and updates, and providing multi-factor authentication to users.

These can help prevent cybercriminals from gaining access to the network in the first place.


Similar Posts

Leave a Reply

Your email address will not be published.