BlackCat ransomware started using Windows kernel level driver
According to a report dated May 23, 2023, BlackCat ransomware, also known as ALPHV, has recently adopted a more sophisticated method by using kernel-level signed Windows drivers to evade detection by anti-malware software.
It turns out that this approach is based on an improved version of the POORTRY malware, which had already been observed in ransomware attacks the previous year. POORTRY is a Windows kernel-level driver signed with stolen keys belonging to legitimate accounts in the Microsoft Windows Hardware Developer program. This driver avoids detection by antivirus software, as it works at the kernel level with the highest system privileges, and can be used to terminate any process.
Ransomware operators tried to use the older version of POORTRY signed by Microsoft, but after the revocation of compromised keys, antivirus software started to detect it effectively. However, a new version of the driver was observed in the BlackCat campaigns, helping the attackers to elevate their privileges.
This driver, named ktgn.sys, is placed in the %Temp% temporary folder and is launched using a user-level executable file, tjr.exe. Although the digital signature of ktgn.sys has been revoked, the driver still manages to start without problems on 64-bit Windows systems.
Read more about it : here