BlackByte Ransomware Abuses Legitimate Drivers to Disable Security Measures

Threat actors are using BlackByte ransomware to abuse legitimate servers and bypass security layers.


The BlackByte ransomware strain is being used by malicious actors to abuse legitimate servers via a technique known as “Bring Your Own Driver”.


BlackByte Ransomware Used to Bypass Security Layers

BlackByte ransomware has been in use since 2021 and acts as a ransomware-as-a-service organization. These groups offer ransomware products to other malicious actors for a fee. BlackByte is now back in the spotlight after being used in a tactic known as “Bring Your Own Driver”. In this attack, cybercriminals are exploiting a vulnerability within the RTCore64.sys Windows graphics overclocking utility driver known as CVE-2021-16098.

A Bring Your Own Driver attack involves installing a vulnerable version of the RTCore64.sys driver onto a victim’s device. The attacker can then abuse this flawed driver while also staying under the radar of security software.

The new threat was discovered by Sophos, a well-known cybersecurity firm. In a Sophos News post, it was stated that the CVE-2021-16098 vulnerability “allows an authenticated user to read and write to arbitrary memory, which could be exploited for privilege escalation, code execution under high privileges, or information disclosure”.

Over 1,000 Drivers Have Been Disabled by BlackByte

Threat actors have managed to disable over 1,000 drivers used by industry endpoint detection and response (EDR) products. As stated in the aforementioned Security News post, such security products rely on these drivers to provide protection to their clientele.

Specifically, these companies monitor the use of frequently abused API calls, a function that is being halted via these Bring Your Own Driver attacks.

BlackByte Has Caused Problems in the Past

This is not the first time that BlackByte has been used in cyberattacks. In early 2022, the FBI issued a warning about a string of BlackByte ransomware attacks taking place via the abuse of Microsoft Exchange servers. The series of exploits took place in December 2021, wherein attackers were breaching corporate networks using three ProxyShell vulnerabilities to install web shells on compromised servers.

Since the attacks, patches have been developed for the ProxyShell vulnerabilities, but this doesn’t seem to have stopped BlackByte operators from continuing their attacks elsewhere.

Ransomware Continues to Threaten Individuals and Companies Alike

Ransomware has the ability to cause huge losses, be it in data or financial holdings. This type of cyberattack is now so popular that it can be purchased via illicit service providers, giving even more malicious actors the ability to exploit victims. It is not known whether BlackByte operators will continue to cause problems in the future, but this Windows attack stands as another example of the capabilities of ransomware programs.

Leave a Reply

Your email address will not be published. Required fields are marked *