Researchers from Sophos warn that BlackByte ransomware operators are using a bring your own vulnerable driver (BYOVD) attack to bypass security products.
In BYOVD attacks, threat actors abuse vulnerabilities in legitimate, signed drivers, on which security products rely, to achieve successful kernel-mode exploitation.
Other ransomware gangs in the past abused the BYOVD technique to disable security solutions, for example RobbinHood and AvosLocker operators exploited vulnerabilities (i.e. CVE-2018-19320) in the gdrv.sys and asWarPot.sys.
While investigating the most recent variant of the ransomware, which is written in Go, the experts discovered that the threat actors are exploiting a vulnerability in a legitimate Windows driver to bypass security solutions.
The researchers discovered that the BlackByte ransomware operators are exploiting a privilege escalation and code execution vulnerability (CVE-2019-16098, CVSS score 7.8) affecting the Micro-Star MSI Afterburner RTCore64.sys driver.
