BlackByte Ransomware Exploits Authorized Driver to Disable Security Protections


BlackByte ransomware has been observed exploiting a vulnerability in a legitimate driver to disable endpoint detection and response (EDR) solutions on the compromised system.

Despite a decryptor for the BlackByte ransomware being made available in October of last year, the threat has persisted. The threat has been employing a sophisticated technique that enables it to get around security products, Sophos security researchers have found while looking into recent activity surrounding the ransomware-as-a-service (RaaS) and its new data leak site.

By overwriting callback entries of drivers used by EDR products in kernel memory with zeros, BlackByte ransomware takes advantage of the vulnerable driver.

Read More: BlackByte Ransomware Abuses Legitimate Driver to Disable Security Protections

For more such updates follow us on Google News ITsecuritywire News. Please subscribe to our Newsletter for more updates.