Tool used by ransomware groups now seen killing EDR: Report
CSO Online
|
Summary
A recent report from Sophos has highlighted significant updates to the Poortry/BurntCigar toolkit, a tool used by ransomware groups to compromise endpoint protection software. Originally identified for terminating endpoint detection and response (EDR) processes, the toolkit now has the capability to completely wipe EDR software from systems. The toolkit uses a malicious kernel driver and loader, heavily obfuscated to evade detection, and it has been utilized by ransomware gangs such as Cuba, BlackCat, and LockBit. Following Microsoft's closure of a loophole allowing custom kernel-level driver signing, developers have adapted by using methods like Signature Timestamp Forging and obtaining valid leaked certificates. These adaptations have enabled the toolkit to function akin to a rootkit, enhancing its evasion capabilities and making it a more formidable threat to IT defenses.