In late December 2022, Mandiant, Sophos and Sentinel One, via a coordinated disclosure, reported malicious kernel drivers being signed through several Microsoft hardware developer accounts (certified by Microsoft’s Windows Hardware Developer Program). These profiles had been used in a number of cyberattacks that included ransomware-based incidents. Microsoft subsequently revoked several Microsoft hardware developer accounts that were abused in these attacks.
In this blog post, we will provide details on a BlackCat ransomware incident that occurred in February 2023, where we observed a new capability, mainly used for the defense evasion phase, that overlaps with the earlier malicious drivers disclosed by the three vendors. BlackCat affiliates have been known to use multiple techniques during the defense evasion phase, impairing defenses by disabling and modifying tools or using techniques as safe mode boot.