BlackCat ransomware attacks leverage malicious Windows kernel drivers

Silhouette of cat sitting on the ground at dusk.
Photo by Agape Trn on Unsplash

During attacks, the ALPHV ransomware group, also known as BlackCat, has been observed employing signed Windows kernel drivers with malicious intent, aiming to evade detection by security software. The driver identified by Trend Micro is an enhanced variant of the previously identified malware named ‘POORTRY,’ which was previously detected by Microsoft, Mandiant, Sophos, and SentinelOne in ransomware attacks towards the end of the previous year.

The POORTRY malware operates as a Windows kernel driver that has been signed using stolen keys from legitimate accounts within Microsoft’s Windows Hardware Developer Program. The UNC3944 hacking group, also recognized as 0ktapus and Scattered Spider, utilized this malicious driver to terminate security software functioning on Windows devices in order to evade detection.


Share this post

Surveillance cameras on wall

Russia Accuses US of Widespread Apple iPhone Hacking

Russia’s Federal Security Service (FSB) claims to have discovered an elaborate American espionage operation that compromised thousands of iPhones using sophisticated surveillance software. Moscow-based Kaspersky Lab confirmed that several of its employees’ devices were compromised during the operation.

Abstract powerlines

Mandiant Unearths New Malware That Can Sabotage Power Grids

A new strain of malware, dubbed COSMICENERGY, has been discovered that is designed to penetrate and disrupt critical systems in industrial environments. The malware is capable of exploiting an industrial communication protocol called IEC-104 to issue commands to RTUs, which could potentially cause power disruption. There is no evidence that the malware has been used in attacks, but its discovery is a reminder of the threat posed by malicious software to critical infrastructure.