BlackByte: Ransomware Disables Security Software
The cyber extortionists exploit a known vulnerability in a Windows graphics driver. They then manipulate drivers of anti-virus software. This way, the BlackByte group can access systems of its victims undisturbed.
Those behind the BlackByte ransomware are currently spreading a new variant of their extortion software. According to an analysis by security provider Sophos, this exploits a known vulnerability that allows BlackByte to disable antivirus software and thus evade detection.
BlackByte is a relatively new group of cyber extortionists. A series of attacks on critical infrastructure and other high-profile targets prompted the U.S. Federal Bureau of Investigation (FBI) to warn about the group recently.
The vulnerability, with the identifier CVE-2019-16098, is in a graphics driver of Windows systems. The RTCore64.sys file provides advanced control functions over a graphics card, which allows overclocking, among other things.
Attackers who exploit the flaw can read and write any memory areas. However, they must first gain access to an authenticated user account. After that, however, they are able to gain higher privileges than the logged-in user, execute malicious code or read confidential information. In addition, according to Sophos, it is possible to bypass more than 1000 drivers as part of a “Bring Your Own Driver” attack, which are used by antivirus programs.
To do this, the hackers need to communicate directly with the kernel of the attacked system and instruct it to disable certain routines of antivirus software. Even tracing in Windows (ETW) can also be disabled in this way.
“If you think of computers as a fortress, then for many security vendors ETW is the guard at the front gate. If the guard fails, the rest of the system is extremely vulnerable. And because ETW is used by so many different vendors, the pool of potential targets for BlackByte to use this EDR evasion is enormous,” said Christopher Budd, senior manager for threat research at Sophos.
By exploiting the vulnerability, BlackByte gains the necessary privileges to access a system undetected before the actual ransomware attack is executed and a ransom demand is made. This allows BlackByte to steal their victims’ data undisturbed and blackmail them by publishing the information.