This sneaky ransomware attack tries to switch off your security software

Cybersecurity researchers detail how one ransomware gang has started using a new technique to help power extortion attacks.
Written by Danny Palmer, Senior Writer

Hands typing on a laptop keyboard lit up with blue back-lighting. 

Image: Getty/Manuel Breva Colmeiro

A major ransomware gang is using a new technique that allows attacks to bypass detection by security products by exploiting a vulnerability in more than 1,000 drivers used in antivirus software. 

The technique has been detailed by cybersecurity researchers at Sophos, who've seen it being used in attacks by the BlackByte ransomware gang. 

BlackByte is a relatively new ransomware operation, but a series of attacks going after critical infrastructure and other high-profile targets have led to the FBI issuing a warning about the group

Also: The scary future of the internet: How the tech of tomorrow will pose even bigger cybersecurity threats

Now the BlackByte ransomware gang is apparently using CVE-2019-16098, a vulnerability in RTCorec64.sys, a graphics utility driver for Windows systems. This driver is legitimately used for overclocking by providing extended control over the graphics card. 

However, by exploiting the vulnerability, attackers which have gained access to an authenticated user account that can read and write to arbitrary memory, which could be exploited for privilege escalation, code execution or accessing information. 

Researchers describe this as "Bring Your Own Driver". When abused, it allows attackers to bypass more than 1,000 drivers used by industry endpoint detection and response (EDR) products – antivirus software. 

This tactic is achieved by exploiting the vulnerability to communicate directly with the targeted system's kernel and telling it to switch off routines used in antivirus software, as well as ETW (Event Tracing for Windows).

"If you think of computers as a fortress, for many EDR providers, ETW is the guard at the front gate. If the guard goes down, then that leaves the rest of the system extremely vulnerable. And, because ETW is used by so many different providers, BlackByte's pool of potential targets for deploying this EDR bypass is enormous," said Christopher Budd, senior manager for threat research at Sophos. 

By abusing this vulnerability, BlackByte can gain the privileges required to quietly access systems, before triggering a ransomware attack and demanding a ransom payment for the decryption key. Like many other ransomware groups, BlackByte also steals data from victims and threatens to release it if their extortion demands aren't met

Also: The biggest cybercrime threat is also the one that nobody wants to talk about

In order to help protect against Bring Your Own Driver attacks, Sophos recommends that drivers are regularly updated, so any known vulnerabilities in them can be remedied. Researchers also recommend blocklisting drivers that are known to still be exploitable. 

"It's critical for defenders to monitor new evasion and exploitation techniques and implement mitigations before these techniques become widely available on the cybercrime scene," said Budd. 

Ransomware continues to be one of the biggest cybersecurity issues facing organisations today. Additional steps that organisations can take to help protect against ransomware and other malware attacks include applying security patches and updates in a timely fashion, as well as providing multi-factor authentication to users.  

These can help prevent cyber criminals from being able to access the network in the first place


Editorial standards