Published on 26 May 2023 | Updated on 29 May 2023
An ongoing ransomware campaign has been found employing signed malicious Windows kernel drivers to evade detection by security software during attacks. The malware, known as 'POORTRY', is a Windows kernel driver signed using stolen keys belonging to legitimate accounts in Microsoft's Windows Hardware Developer Program.
Successful exploitation of the malicious Windows kernel drivers could allow attackers to elevate their privileges on compromised machines and stop processes relating to security agents.
Possible indicators of compromise (IOCs) associated with the ongoing ransomware campaign are shown in the table below.
|Driver variants (SHA1)||Signer name||Valid usage|
|f6793243ad20359d8be40d3accac168a15a327fb||YI ZENG||Code signing|
Systems adminstrators are advised to scan their networks against the IOCs and add the malicious Windows kernel drivers to the Windows drivers blocklist to protect their networks from this new Tactics, Techniques, and Procedures (TTPs) used by the attackers. Systems administrators should also ensure that 'Driver Signature Enforcement' is enabled to block the installation of any drivers that do not have a valid digital signature.
Systems administrators may refer to our advisory on how to protect their systems and data from ransomware threats here.
If your organisation is a victim of a ransomware incident, please refer to our ransomware response checklist here.
More information is available here: