Cybersecurity researchers at Sophos have reported that this ransomware group is using a new technique for the attacks. This new technique allows attackers to hide ransomware from security products (like anti-virus). The BlackByte ransomware can exploit a security flaw that is present in more than 1,000 drivers and is common in several antivirus software.
How BlackByte is attacking Windows users
Windows systems have a graphics utility driver named RTCorec64.sys where a vulnerability (CVE-2019-16098) is reportedly being misused by the BlackByte ransomware gang. The real function of this driver is to provide extended control over the graphics card by overclocking it.
This vulnerability allows attackers to read and write the memory of the system by taking over an authenticated user account, which can eventually be exploited to access information, code execution, etc.
The researchers have named this technique — “Bring Your Own Drive” which allows attackers to remain undetected by drivers used in more than 1,000 antivirus software. BlackByte exploits the drivers’ vulnerability to control the targeted system and commands it to switch off the ETW or Event Tracing for Windows and other common routines that are used in security products.
What is Event Tracing for Windows or ETW
Senior manager for threat research at Sophos, Christopher Budd has explained that ETW is like “the guard at the front gate” in computers. The entire system becomes vulnerable when the primary guard is down. Moreover, as several antivirus software providers use ETW, BlackByte can bypass multiple security products.
At first, the attackers abuse this vulnerability to quietly takes control of the systems and then trigger a ransomware attack by demanding ransom payment from the victims in exchange for the decryption key.
How users can protect themselves from BlackByte
Researchers at Sophos have recommended users to update their drivers regularly which is expected to patch this security flaw. Users have also been advised to blocklist the drivers that are still vulnerable.
Tech organisations should also regularly issue updates and security patches as well as provide multi-factor authentication (MFA) for users to stay safe from these ransomware attacks.