View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
  2. Cybersecurity
May 22, 2023updated 21 Aug 2023 3:52pm

BlackCat ransomware is using signed Microsoft kernel drivers to avoid detection

Research has revealed how the Russian gang's malware remains hidden in systems and gets around end-point security.

By Claudia Glover

An end-point security evasion technique by ransomware gang BlackCat has been uncovered by researchers. The new procedure cloaks the gang’s defensive manoeuvres when inside a network. The cybercrime group has been found using signed Microsoft kernel drivers to control and kill security processes deployed on protected machines. This is likely to become a fixture in the cybercriminal toolkit, states the report. 

A black cat, intended as a visual metaphor to represent BlackCat ransomware.
BlackCat ransomware has found a new way to avoid detection. (Photo by Zsa Zsa Faes Photography/Shutterstock)

Microsoft has subsequently revoked several Microsoft hardware developer accounts that were abused in these attacks.

End-point security evasion technique of BlackCat ransomware uncovered

Affiliates of BlackCat have been known to use several methods of defence evasion, in a bid to remain in a system, undetected, for as long as they can. The most recent technique is the use of malicious kernel drivers, signed through Microsoft hardware developer accounts.

This helps to impair defences on a victimised machine by controlling, pausing and killing various processes on target end-points related to security agents, states the research from security vendor Trend Micro.

If a kernel-mode driver is not signed by a trusted certification authority it will not run. The operating system will not allow untrusted drivers to work and standard mechanisms like kernel debugging and test signing will not be permitted, explains a post by Microsoft Build.

Trend Micro’s research demonstrates the success of this technique through previous attacks carried out by BlackCat this year. Typically, by abusing Microsoft signing portals, using leaked and stolen certificates or using underground servers, cybercriminals are able to sign malicious kernel drivers, which can give cybercriminals deploying these techniques higher levels of access. 

These new techniques will probably become a fixture of a cybercriminal toolkit, states the report. “Because of these added layers of protection, attackers tend to opt for the path of least resistance to get their malicious code running via the kernel layer (or even lower levels). This is why we believe that such threats will not disappear from threat actors’ toolkits anytime soon.”

Content from our partners
Scan and deliver
GenAI cybersecurity: "A super-human analyst, with a brain the size of a planet."
Cloud, AI, and cyber security – highlights from DTX Manchester

Who are BlackCat?

Also known as AlphaV, BlackCat ransomware first appeared in November 2021, attacking targets in multiple countries including Australia, India and the US, demanding ransoms ranging from $400,000-$3m in cryptocurrencies Bitcoin or Monero.

The Russian gang is thought to have connections to another group, DarkSide, which carried out the notorious attack on the Colonial Pipeline in 2020, which disrupted the oil supply chain to the US Eastern Seaboard and prompted President Joe Biden to declare a national state of emergency. 

Earlier this year Munster Technology University in Ireland fell victim to a ransomware attack by BlackCat. The gang stole 6GB of data from the university, including personal information of staff and students, and released it onto the dark web when representatives of MTU refused to cooperate.

Other high-profile victims include the Ecuadorian Army, and US Defence intelligence company the NJVC, though there was no evidence of data from the latter being posted online.

Read more: BlackCat posts luxury watchmaker Seiko to its victim blog

Topics in this article :
Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how Progressive Media Investments may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.