BlackByte Ransomware Abuses Vulnerable Windows Driver to Disable Security Solutions
Oct 07, 2022
In yet another case of bring your own vulnerable driver (BYOVD) attack, the operators of the BlackByte ransomware are leveraging a flaw in a legitimate Windows driver to bypass security solutions. "The evasion technique supports disabling a whopping list of over 1,000 drivers on which security products rely to provide protection," Sophos threat researcher Andreas Klopsch said in a new technical write-up. BYOVD is an attack technique that involves threat actors abusing vulnerabilities in legitimate, signed drivers to achieve successful kernel-mode exploitation and seize control of compromised machines. Weaknesses in signed drivers have been increasingly co-opted by nation-state threat groups in recent years, including Slingshot , InvisiMole , APT28 , and most recently, the Lazarus Group . BlackByte, believed to be an offshoot of the now-discontinued Conti group , is part of the big game cybercrime crews, which zeroes in on larg...