Ransomware, Malware, Endpoint/Device Security, Threat Intelligence

EDR-killing capabilities added to PoorTry Windows driver

Share

Ransomware operations have upgraded that malicious kernel-mode Windows driver PoorTry from an endpoint detection and response system deactivator to an EDR killer, reports BleepingComputer.

Despite being initially developed to disable security systems, PoorTry — also known as BurntCigar — has since been updated to allow the removal of security software's crucial dynamic link libraries and executable files in a RansomHub attack last month, according to an analysis from Sophos. Malicious PoorTry operations commence with the discovery of installation directories and critical directory files followed by the delivery of a request seeking security-related process termination and file deletion to its kernel-mode component, reported Sophos researchers, who noted the tool's support for file name- or type-based deletion. Further analysis revealed that the new PoorTry variants not only leveraged signature timestamp manipulation conducted to evade Windows security inspections and enable utilization of other software metadata but also used various certificates for greater odds of compromise.

An In-Depth Guide to Ransomware

Get essential knowledge and practical strategies to protect your organization from ransomware attacks.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.