"Malicious Windows Kernel Drivers Used in BlackCat Ransomware Attacks"

The ALPHV ransomware group, also known as BlackCat, was observed using signed malicious Windows kernel drivers to avoid detection by security software. The driver seen by Trend Micro is an updated version of the malware called 'POORTRY' that Microsoft, Mandiant, Sophos, and SentinelOne saw in ransomware attacks last year. The POORTRY malware is a Windows kernel driver that was signed with stolen keys belonging to legitimate Microsoft Windows Hardware Developer Program accounts. This malicious driver was used by the UNC3944 hacking group, also known as 0ktapus and Scattered Spider, to disable security software on a Windows device in order to bypass detection. According to Trend Micro, the ransomware operators tried to use the Microsoft-signed POORTRY driver, but its detection rates were high due to the publicity it received and after the code-signing keys were revoked. Therefore, the hackers deployed an updated version of the POORTRY kernel driver signed with a stolen or leaked cross-signing certificate. The new driver used by the BlackCat ransomware operation allows for the elevation of privileges on compromised machines and the termination of security-related processes. This article continues to discuss the ALPHV ransomware employing signed malicious Windows kernel drivers to evade detection by security software. 

Bleeping Computer reports "Malicious Windows Kernel Drivers Used in BlackCat Ransomware Attacks"