BlackCat ransomware is using signed Microsoft kernel drivers to avoid detection

Home/BOTNET, Data Breach, Internet Security, Mobile Security, Ransomware, Security Advisory, Security Update, Tips/BlackCat ransomware is using signed Microsoft kernel drivers to avoid detection

BlackCat ransomware is using signed Microsoft kernel drivers to avoid detection

Research has revealed how the Russian gang’s malware remains hidden in systems and gets around end-point security.

BlackCat ransomware

An end-point security evasion technique by ransomware gang BlackCat has been uncovered by researchers. The new procedure cloaks the gang’s defensive manoeuvres when inside a network.

The POORTRY malware is a Windows kernel driver that is signed using stolen keys belonging to legitimate accounts in Microsoft’s Windows Hardware Development Program.

This malicious driver, used by the hacking group UNC3944 (also known as 0ktapus and Scattered Spider), was used to shut down security software running on a Windows device in order to avoid detection.

Trend Micro said that ransomware actors tried to use the Microsoft-signed POORTRY driver, but due to the publicity it received and the subsequent revocation of the code signing keys, its detection rates were high.

These new techniques will probably become a fixture of a cybercriminal toolkit, states the report. “Because of these added layers of protection, attackers tend to opt for the path of least resistance to get their malicious code running via the kernel layer.

The new driver used by the BlackCat ransomware company helps it to elevate its privileges on infected machines and then stop processes related to security agents.

Additionally, it may provide a loose connection between the ransomware gang and the UNC3944/Scattered Spider hacking group.


To mitigate the risks, system administrators are advised to utilize the indicators of compromise provided by Trend Micro and add the identified drivers to the Windows driver blocklist.


File name	Hash 						Detection name
yixowv.exe	17bd8fda268cbb009508c014b7c0ff9d8284f850	Ransom.Win32.BLACKCAT.SMYPCC5
cor.exe		78cd4dfb251b21b53592322570cc32c6678aa468	Ransom.Win32.BLACKCAT.SMYPCC5
trj.exe		c2387833f4d2fbb1b54c8f8ec8b5b34f1e8e2d91	Trojan.Win64.STONESTOP.A
dkrtk.sys	91568d7a82cc7677f6b13f11bea5c40cf12d281b	Trojan.Win64.VMPROTECT.R002C0RA
fgme.sys	0bec69c1b22603e9a385495fbe94700ac36b28e5	Troj.Win32.TRX.XXPE50F13019
ktes.sys	5ed22c0033aed380aa154e672e8db3a2d4c195c4	Troj.Win32.TRX.XXPE50F13019
kt2.sys		cb25a5125fb353496b59b910263209f273f3552d	Troj.Win32.TRX.XXPE50F13019
ktgn.sys	994e3f5dd082f5d82f9cc84108a60d359910ba79	Rootkit.Win64.POORTRY.A

Follow Us on: Twitter, InstagramFacebook to get the latest security news!

About the Author:

FirstHackersNews- Identifies Security

Leave A Comment

Subscribe to our newsletter to receive security tips everday!