Ongoing Ransomware Campaign exploiting Malicious Windows Kernel Drivers

Published on 26 May 2023

An ongoing ransomware campaign has been found employing signed malicious Windows kernel drivers to evade detection by security software during attacks. The malware, known as 'POORTRY', is a Windows kernel driver signed using stolen keys belonging to legitimate accounts in Microsoft's Windows Hardware Developer Program.

Successful exploitation of the malicious Windows kernel drivers could allow attackers to elevate their privileges on compromised machines and stop processes relating to security agents. 

Possible indicators of compromise (IOCs) associated with the ongoing ransomware campaign are shown in the table below.

Driver variants (SHA1) Signer name Valid usage
994e3f5dd082f5d82f9cc84108a60d359910ba79 BopSoft Code signing
f6793243ad20359d8be40d3accac168a15a327fb YI ZENG Code signing

Systems adminstrators are advised to scan their networks against the IOCs and add the malicious Windows kernel drivers to the Windows drivers blocklist to protect their networks from this new Tactics, Techniques, and Procedures (TTPs) used by the attackers. Systems administrators should also ensure that 'Driver Signature Enforcement' is enabled to block the installation of any drivers that do not have a valid digital signature.

Systems administrators may refer to our advisory on how to protect their systems and data from ransomware threats here.

If your organisation is a victim of a ransomware incident, please refer to our ransomware response checklist here.

More information is available here: