The Nigerian Communications Commission’s Computer Security Incident Response Team (NCC-CSIRT) has issued a critical warning about BlackByte ransomware, a high-impact cyber threat targeting Windows operating systems. The ransomware exploits a new technique, dubbed “Bring Your Own Vulnerable Driver” (BYOVD), allowing it to bypass security protections by disabling over 1,000 drivers used by various security products, including Avast, Sandboxie, Windows DbgHelp Library, and Comodo Internet Security.
NCC-CSIRT revealed that the ransomware gang behind BlackByte uses a vulnerable MSI Afterburner RTCore64.sys driver, which takes advantage of a privilege escalation and code execution flaw (CVE-2019-16098). This vulnerability allows the attackers to disable critical Endpoint Detection and Response (EDR) and antivirus software, leaving systems exposed.
The BYOVD method is particularly dangerous because the affected drivers are signed with valid certificates and have high privileges, making them difficult to detect. This attack technique has been used in other high-profile incidents, including those attributed to the Lazarus group and other unidentified hackers abusing anti-cheat drivers.
The NCC-CSIRT has recommended that system administrators take immediate action to defend against this attack by adding the MSI driver to an active blocklist, closely monitoring driver installations, and regularly checking for unauthorized or rogue drivers.
The NCC-CSIRT collaborates with the Nigeria Computer Emergency Response Team (ngCERT) to strengthen cybersecurity measures and reduce the risk of such attacks, working to safeguard Nigeria’s digital infrastructure.