"A notorious ransomware group has been spotted leveraging sophisticated techniques to bypass endpoint detection and response (EDR) tools. BlackByte, which the US government has said poses a serious threat to critical infrastructure, used a 'Bring Your Own Driver' technique to circumvent over 1000 drivers used by commercially available EDR products, according to Sophos... The UK cybersecurity vendor explained in a new report that the group had exploited a known vulnerability, CVE-2019-16098, in Windows graphics utility driver RTCorec6.sys...." https://www.infosecurity-magazine.com/news/ransomware-bypasses-enormous-range/
I can not believe this stuff. How the heck has Windows still not solved this problem? To me it's a huge OS design error when a driver (malicious or not) can simply disable another driver's protection capability. But I guess you will also see this in Linux and macOS, it's like OSes in general aren't designed to take malware into consideration.
because you missed the real problem: detection and prevention of such malware. if ransomware can do its work any other security has failed a lot before. further; my systems dont use RTCorec6.sys. i dont have MSI, i never will use such MSI software, because such software is anyhow BS: https://nvd.nist.gov/vuln/detail/CVE-2019-16098 "Afterburner" is a big fail. written a lot, ignore a lot more.
https://www.guru3d.com/files-details/msi-afterburner-beta-download.html Well, that version was very rapidly replaced by a couple of newer ones. It is now at 4.6.5 beta and the developers strongly state very clearly to ONLY obtain Afterburner and RivaTuner Statistics Server from the Guru of 3D site, nowhere else, as older versions like the vulnerable one may still be available on these third party sites. I would so NOT call AFT. a "fail" myself, though I do not use it. I do use RTSS (cannot believe some people think RTSS can only run if AFT is also installed ) and this is one of the few software I depend and rely upon to cap my frames. Nothing else will do!
No, you're missing the point because the whole reason why EDR's exist, is because AV's will probably never be able to spot 100% of all malware attacks. So EDR's will try to prevent ransomware from spreading to all PC's in the network, by isolating the patient zero. The solution is to block driver loading by malicious apps, but I'm guessing EDR's aren't smart enough. And MSI Afterburner is a handy tool, used by many people for controlling for example GPU fans, so I'm not sure what you're rambling about. It's the Windows OS that should be designed better, to prevent this stuff.
