BlackByte Ransomware Abuses Legitimate Drivers to Disable Security Measures

Threat actors use BlackByte ransomware to exploit legitimate servers and circumvent layers of security.


The BlackByte ransomware strain is used by malicious actors to exploit legitimate servers through a technique known as “Bring Your Own Driver”.


BlackByte Ransomware Used to Bypass Security Layers

BlackByte ransomware has been in operation since 2021 and acts as a ransomware-as-a-service organization. These groups offer ransomware products to other malicious actors for a fee. BlackByte is now back in the spotlight after being used in a tactic known as “Bring Your Own Driver”. In this attack, cyber criminals exploit a vulnerability in the RTCore64.sys Windows graphics overclocking driver known as CVE-2021-16098.

A Bring Your Own Driver attack installs a vulnerable version of the RTCore64.sys driver on a victim’s device. The attacker could then exploit this flawed driver while remaining under the radar of security software.

The new threat was discovered by Sophos, a well-known cybersecurity company. In a Sophos News itemIt stated that the CVE-2021-16098 vulnerability “allows an authenticated user to read and write to arbitrary memory, which can be exploited for privilege escalation, high-privilege code execution, or information disclosure.”

Over 1,000 drivers have been disabled by BlackByte

Threat actors have successfully disabled more than 1,000 drivers used by endpoint detection and response (EDR) products in the industry. As mentioned in the above Security News post, such security products rely on these drivers to provide protection to their customers.

Specifically, these companies monitor the use of many abused API calls, a feature that is being disabled through these Bring Your Own Driver attacks.

BlackByte has caused problems in the past

It is not the first time that BlackByte has been used in cyber attacks. In early 2022, the FBI warned of a series of BlackByte ransomware attacks that took place through misuse of Microsoft Exchange servers. The series of exploits took place in December 2021, in which attackers broke corporate networks using three ProxyShell vulnerabilities to install web shells on compromised servers.

Since the attacks, patches have been developed for the ProxyShell vulnerabilities, but this doesn’t seem to have stopped BlackByte operators from continuing their attacks elsewhere.

Ransomware continues to threaten individuals and businesses alike

Ransomware can cause huge losses, be it data or financial interests. This type of cyber attack is now so popular that it can be bought through illegal service providers, giving even more malicious actors the opportunity to exploit victims. It is unknown if BlackByte operators will continue to be a problem in the future, but this Windows attack is another example of the capabilities of ransomware programs.

See also  More than 15,000 WordPress sites affected by malicious SEO campaign

Leave a Reply

Your email address will not be published.