August 28, 2024 at 03:02PM
The PoorTry Windows driver has evolved into an EDR wiper, deleting crucial security files to hinder restoration efforts. Trend Micro first warned about this in May 2023, with Sophos confirming EDR wiping attacks. The tool, used by ransomware gangs like BlackCat and LockBit, employs various tactics to avoid detection and increase its effectiveness.
After reviewing the meeting notes, it is evident that the PoorTry kernel-mode Windows driver, previously known as an EDR deactivator, has now evolved into an EDR wiper. This development represents a significant shift in tactics by ransomware actors, prioritizing a more disruptive setup phase to ensure better outcomes in the encryption stage.
Reports from both Trend Micro and Sophos have highlighted the emergence of EDR wiping attacks in the wild, confirming the aggressive nature of the evolved PoorTry functionality. Notably, the malware has been utilized by various ransomware gangs, including BlackCat, Cuba, and LockBit, and has demonstrated a capacity for adaptation and evasion through techniques like certificate manipulation and obfuscation.
The latest Sophos report details an attack in July 2024 where PoorTry was used to systematically delete critical executable files, dynamic link libraries, and other essential components of security software, rendering EDR solutions inoperable and leaving systems vulnerable to encryption phase attacks.
Additionally, it was observed that the malware employs signature timestamp manipulation and utilizes metadata from other software to circumvent security checks and increase its chances of successful execution.
The evolving capabilities of PoorTry pose significant challenges to defenders, as its ability to wipe EDR solutions could create new opportunities for detecting attacks in the pre-encryption phase. This underscores the need for heightened vigilance and advanced defense measures to counteract the evolving tactics of ransomware actors.