At Cyfer Tech, we understand that the cybersecurity landscape is constantly evolving, with attackers relentlessly developing new tools to bypass and disable security measures. Recently, Sophos X-Ops published an update about a persistent threat they’ve been tracking for years: an advanced toolset designed to sabotage endpoint detection and response (EDR) solutions, making it easier for ransomware gangs to carry out their attacks. This blog will explore the ongoing battle against this EDR killer, known as Poortry, and how Sophos X-Ops remains at the forefront of protecting organizations. 

The Evolution of Poortry: A Threat to EDR 

Poortry is a malicious kernel-level driver that, along with its loader application Stonestop, has been used by multiple ransomware groups to disable EDR software. Since Sophos first reported on Poortry in 2022, the developers behind this tool have continued to refine and enhance its capabilities, making it more difficult to detect and neutralize. Despite Microsoft’s efforts to close loopholes that allowed these drivers to be signed and trusted, the creators of Poortry have not been deterred. Instead, they have found new methods to bypass security measures and continue their attacks. 

How Poortry Works: A Deeper Dive 

To understand how Poortry operates, it’s important to know how Windows drivers function. Drivers in Windows operate at the kernel level, granting them access to critical system functions. Poortry exploits this by loading a malicious driver into the kernel, which then disables or modifies protection software. 

There are several ways Poortry developers bypass security checks: 

1.  Abusing Leaked Certificates: Attackers use stolen or compromised code-signing certificates from legitimate companies to sign their malicious drivers. These signed drivers can then be loaded onto a system, bypassing security checks. 
2.  Forging Signature Timestamps: By manipulating the signing process, attackers can create fake timestamps that allow their drivers to appear legitimate, even when the certificates used are outdated or revoked. 
3.  Exploiting Microsoft’s Attestation Signing Process: In some cases, attackers manage to get their malicious drivers signed by Microsoft itself, giving them a powerful, legitimate-looking signature. 

Poortry’s Impact on Ransomware Attacks 

Since its discovery, Poortry has been linked to several major ransomware families, including CUBA, BlackCat, Medusa, LockBit, and RansomHub. The tool’s developers have continuously adapted, using different methods to ensure that their drivers are signed and trusted. This persistence has made Poortry a significant threat to organizations worldwide. 

One of the more recent developments is Poortry’s ability to not only disable EDR software but also to completely delete critical EDR components. This new capability was first observed during an incident involving RansomHub ransomware, where Sophos X-Ops identified Poortry as a key tool in the attackers’ arsenal. 

Sophos X-Ops: Leading the Fight Against Advanced Threats 

Sophos X-Ops has been instrumental in uncovering and mitigating the risks posed by Poortry and other advanced threats. Through a combination of static and dynamic analysis, they have tracked the evolution of Poortry, from its early versions that simply disabled EDR software to its current iteration that can also delete files off disk. Their ongoing research and collaboration with Microsoft have led to the deactivation of accounts used to sign malicious drivers, disrupting the attackers’ operations. 

Protecting Your Organization with Cyfer Tech and Sophos 

At Cyfer Tech, we are committed to providing our clients with the best cybersecurity solutions available. Partnering with Sophos allows us to offer advanced protection against threats like Poortry. Sophos’ cutting-edge technology and expert threat intelligence ensure that your organization stays ahead of attackers. 

As threats continue to evolve, so must our defenses. By staying informed and working with trusted cybersecurity partners like Cyfer Tech and Sophos, you can protect your organization from even the most sophisticated attacks. 

Contact us today to learn more about how Cyfer Tech and Sophos can help safeguard your business from the latest cybersecurity threats.