"Ransomware Group Bypasses 'Enormous' Range of EDR Tools"

Security researchers at Sophos have discovered that a notorious ransomware group has been leveraging sophisticated techniques to bypass endpoint detection and response (EDR) tools.  BlackByte, which the US government has said poses a serious threat to critical infrastructure, used a “Bring Your Own Driver” technique to circumvent over 1000 drivers used by commercially available EDR products.  The researchers noted that the group has been exploiting a known vulnerability, CVE-2019-16098, in Windows graphics utility driver RTCorec6.sys.  This enabled the threat actors to communicate directly with a victim system’s kernel and issue commands to disable callback routines used by EDR tools.  The researchers noted that the group also used EDR bypass techniques borrowed from the open source tool EDRSandblast to deactivate the Microsoft-Windows-Threat-Intelligence ETW (Event Tracing for Windows) provider.  Neutralizing it in this way renders any security tool relying on the feature also useless.  The researchers stated that because so many different providers use ETW, BlackByte’s pool of potential targets for deploying this EDR bypass is enormous.  The researchers noted that BlackByte is not the only ransomware group using these advanced techniques to get around existing detection tools.  AvosLocker used a similar method in May.  The researchers noted that it does appear that EDR bypass is becoming a more popular technique for ransomware threat groups.  

Infosecurity reports: "Ransomware Group Bypasses 'Enormous' Range of EDR Tools"