BlackByte Ransomware Gang Resurfaces With Sophisticated EDR Bypass Attack
BlackByte ransomware gang has resurfaced with a new, sophisticated attack method, marking a worrying trend in cyber news today. The group, which was recently featured in a joint advisory by the Secret Service and FBI, has added a 'Bring Your Own Driver' technique to bypass over 1,000 drivers used by Endpoint Detection and Response (EDR) products. In May, BlackByte reemerged after a brief hiatus, launching new leak sites and extortion tactics. The organization, also known as 'Gentlemen', introduced a novel attack technique that allows it to bypass EDR products. This method involves introducing their own drivers, including the misuse of a signed legitimate driver (ThrottleBlood.sys), to terminate protected security processes at the kernel level. BlackByte's latest tactic abuses a vulnerability in RTCore64.sys to communicate directly with targeted systems' kernels. This enables the group to disable EDR and ETW features, rendering ineffective EDR vendors that rely on ETW for monitoring malicious API calls. The use of 'Bring Your Own Driver' techniques for EDR bypass is becoming more popular among ransomware groups, with AvosLocker also abusing a driver vulnerability to disable antivirus solutions in May. BlackByte's new attack method is not an isolated incident, highlighting a growing trend in ransomware groups' evolving tactics. This development underscores the need for constant vigilance and adaptive security measures to counter emerging threats in the cyber landscape.
