Cybersecurity researchers at Sophos reported that this ransomware group is using a new technique for attacks. This new technique allows attackers to hide ransomware from security products (like anti-virus). Blackyte ransomware can exploit a security vulnerability present in more than 1,000 drivers and common in some anti-virus software.
How Blacks Are Attacking Windows Users
Windows systems have a graphics utility driver called RTCorec64.sys, in which a security flaw (CVE-2019-16098) is believed to have been abused by the Blackyte ransomware gang. The real function of this driver is to provide extended control over the graphics card by overclocking it.
This vulnerability allows an attacker to read and write system memory by hijacking an authenticated user account, which can eventually be exploited to access information, execute code, etc.
The researchers have named this technique – “Bring your own drive”, which allows attackers to go undetected by the drivers used in more than 1,000 anti-virus software. BlackBerry exploits a driver vulnerability to take control of the targeted system and order it to shut down ETW or Event Tracking for Windows and other common processes used in security products.
What is Event Tracking for Windows or ETW
Senior Manager of Threat Research at Sophos, Christopher Budd explained that ETW is like the “guard at the front gate” in computers. The entire system becomes vulnerable when the main protection fails. Furthermore, because some antivirus vendors use ETW, Blackyte can bypass many security products.
At first, attackers abuse this vulnerability to silently take control of the system and then activate ransomware attack by asking victims to pay a ransom in exchange for the decryption key.
How users can protect themselves from Blackyyte
Researchers at Sophos have recommended that users update their drivers regularly to patch this security bug. Users have also been advised to block the list of drivers that are still vulnerable.
Tech organizations should also regularly release security updates and patches and provide multi-factor authentication (MFA) to keep users safe from these ransomware attacks.
