Ransomware Group Bypasses “Enormous” Range of EDR Tools

A notorious ransomware group has been spotted leveraging advanced strategies to bypass endpoint detection and reaction (EDR) tools.

BlackByte, which the US govt has explained poses a really serious menace to critical infrastructure, used a “Bring Your Very own Driver” procedure to circumvent more than 1000 motorists employed by commercially obtainable EDR products and solutions, according to Sophos.

The UK cybersecurity vendor stated in a new report that the group experienced exploited a known vulnerability, CVE-2019-16098, in Windows graphics utility driver RTCorec6.sys.

✔ Approved From Our Partners

Protect and backup your data using AOMEI Backupper. AOMEI Backupper takes secure and encrypted backups from your Windows, hard drives or partitions. With AOMEI Backupper you will never be worried about loosing your data anymore.

Get AOMEI Backupper with 72% discount from an authorized distrinutor of AOMEI: SerialCart® (Limited Offer).

➤ Activate Your Coupon Code

This enabled it to communicate instantly with a target system’s kernel and issue commands to disable callback routines made use of by EDR resources.

The group also made use of EDR bypass techniques borrowed from open up resource device EDRSandblast to deactivate the Microsoft-Windows-Threat-Intelligence ETW (Celebration Tracing for Windows) company.

This is a Windows function “that offers logs about the use of typically maliciously abused API phone calls this sort of as NtReadVirtualMemory to inject into a further process’s memory,” described Sophos. Neutralizing it in this way renders any security device relying on the aspect also ineffective, the firm argued.

“If you believe of computers as a fortress, for lots of EDR providers, ETW is the guard at the entrance gate,” reported Christopher Budd, senior manager, risk investigation at Sophos.

“If the guard goes down, then that leaves the rest of the system particularly susceptible. And, mainly because ETW is applied by so quite a few different providers, BlackByte’s pool of prospective targets for deploying this EDR bypass is massive.”

BlackByte is not the only ransomware group utilizing these innovative methods to get close to present detection tools, illustrating the ongoing arms race concerning attackers and defenders. AvosLocker employed a very similar process in May possibly, Sophos said.

“Anecdotally, from what we’re looking at in the area, it does seem that EDR bypass is becoming a a lot more preferred technique for ransomware danger groups,” confirmed Budd.

“This is not shocking. Danger actors normally leverage resources and methods designed by the ‘offensive security’ market to start attacks speedier and with negligible effort.”