Ransomware Group Bypasses “Enormous” Range of EDR Tools

A notorious ransomware group has been spotted leveraging advanced strategies to bypass endpoint detection and reaction (EDR) tools.

BlackByte, which the US govt has explained poses a really serious menace to critical infrastructure, used a “Bring Your Very own Driver” procedure to circumvent more than 1000 motorists employed by commercially obtainable EDR products and solutions, according to Sophos.

The UK cybersecurity vendor stated in a new report that the group experienced exploited a known vulnerability, CVE-2019-16098, in Windows graphics utility driver RTCorec6.sys.

✔ Approved Seller From Our Partners

Protect your privacy by Mullvad VPN. Mullvad VPN is one of the famous brands in the security and privacy world. With Mullvad VPN you will not even be asked for your email address. No log policy, no data from you will be saved. Get your license key now from the official distributor of Mullvad with discount: SerialCart® (Limited Offer).

➤ Get Mullvad VPN with 12% Discount

This enabled it to communicate instantly with a target system’s kernel and issue commands to disable callback routines made use of by EDR resources.

The group also made use of EDR bypass techniques borrowed from open up resource device EDRSandblast to deactivate the Microsoft-Windows-Threat-Intelligence ETW (Celebration Tracing for Windows) company.

This is a Windows function “that offers logs about the use of typically maliciously abused API phone calls this sort of as NtReadVirtualMemory to inject into a further process’s memory,” described Sophos. Neutralizing it in this way renders any security device relying on the aspect also ineffective, the firm argued.

“If you believe of computers as a fortress, for lots of EDR providers, ETW is the guard at the entrance gate,” reported Christopher Budd, senior manager, risk investigation at Sophos.

“If the guard goes down, then that leaves the rest of the system particularly susceptible. And, mainly because ETW is applied by so quite a few different providers, BlackByte’s pool of prospective targets for deploying this EDR bypass is massive.”

BlackByte is not the only ransomware group utilizing these innovative methods to get close to present detection tools, illustrating the ongoing arms race concerning attackers and defenders. AvosLocker employed a very similar process in May possibly, Sophos said.

“Anecdotally, from what we’re looking at in the area, it does seem that EDR bypass is becoming a a lot more preferred technique for ransomware danger groups,” confirmed Budd.

“This is not shocking. Danger actors normally leverage resources and methods designed by the ‘offensive security’ market to start attacks speedier and with negligible effort.”