During attacks, the ALPHV ransomware group, also known as BlackCat, has been observed employing signed Windows kernel drivers with malicious intent, aiming to evade detection by security software. The driver identified by Trend Micro is an enhanced variant of the previously identified malware named ‘POORTRY,’ which was previously detected by Microsoft, Mandiant, Sophos, and SentinelOne in ransomware attacks towards the end of the previous year.
The POORTRY malware operates as a Windows kernel driver that has been signed using stolen keys from legitimate accounts within Microsoft’s Windows Hardware Developer Program. The UNC3944 hacking group, also recognized as 0ktapus and Scattered Spider, utilized this malicious driver to terminate security software functioning on Windows devices in order to evade detection.