Windows Kernel Drivers Used in BlackCat Attacks


In order to evade detection by security software, the BlackCat ransomware was first discovered in February. The driver in use is an enhanced variant of the POORTRY virus, which Microsoft, Mandiant, Sophos, SentinelOne, and SentinelOne detected during ransomware assaults last year.

A Windows kernel driver signed by POORTRY virus uses keys from legitimate Windows Hardware Developer Programme accounts that have been hacked. The UNC3944 hacking collective had previously utilised this driver to disable security software on targeted machines. When attackers tried to employ POORTRY, they realised that security software had a very high detection rate for this malware because of the publicity it received when the code-signing keys were withdrawn.

Read More…