{
	"id": "3ead5610-d140-4568-8c23-11c593665c2d",
	"created_at": "2026-04-06T00:12:08.70619Z",
	"updated_at": "2026-04-10T03:24:30.000286Z",
	"deleted_at": null,
	"sha1_hash": "5a517ee054fb55d3c33f85e80cdd793a482389ca",
	"title": "BlackCat Ransomware Deploys New Signed Kernel Driver",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 608862,
	"plain_text": "BlackCat Ransomware Deploys New Signed Kernel Driver\r\nPublished: 2023-05-22 · Archived: 2026-04-05 15:37:03 UTC\r\nRansomware\r\nIn this blog post, we will provide details on a BlackCat ransomware incident that occurred in February 2023,\r\nwhere we observed a new capability, mainly used for the defense evasion phase.\r\nBy: Mahmoud Zohdy, Sherif Magdy, Mohamed Fahmy May 22, 2023 Read time: 8 min (2196 words)\r\nExecutive Summary\r\nIn late December 2022, Mandiant, Sophosnews article and Sentinel One, via a coordinated disclosure, reported\r\nmalicious kernel drivers being signed through several Microsoft hardware developer accounts (certified by\r\nMicrosoft’s Windows Hardware Developer Program). These profiles had been used in a number of cyberattacks\r\nthat included ransomware-based incidents. Microsoft subsequently revoked several Microsoft hardware developer\r\naccounts that were abused in these attacks.\r\nIn this blog post, we will provide details on a BlackCat ransomwarenews article incident that occurred in February\r\n2023, where we observed a new capability, mainly used for the defense evasion phase, that overlaps with the\r\nearlier malicious drivers disclosed by the three vendors. BlackCatnews article affiliates have been known to use\r\nmultiple techniques during the defense evasion phase, impairing defenses by disabling and modifying tools or\r\nusing techniques as safe mode boot.\r\nOur analysis sheds light on this new capability, which involves the use of a signed kernel driver for evasion. We\r\nbelieve that this new kernel driver is an updated version that inherited the main functionality from the samples\r\ndisclosed in previous research. The driver was used with a separate user client executable in an attempt to control,\r\npause, and kill various processes on the target endpoints related to the security agents deployed on the protected\r\nmachines.\r\nMalicious actors use different approaches to sign their malicious kernel drivers: Typically by abusing Microsoft\r\nsigning portals, using leaked and stolen certificates, or using underground services. In our case, the attackers tried\r\nto deploy the old driver disclosed by Mandiant, which is signed through Microsoft (SHA256:\r\nb2f955b3e6107f831ebe67997f8586d4fe9f3e98). Since this driver has already been previously known and\r\ndetected, the malicious actors deployed another kernel driver signed by a stolen or leaked cross-signing certificate.\r\nTrend Micro continues to monitor the abuse of any signed drivers and the related tools, tactics, and procedures\r\n(TTPs) associated with this attack surface.\r\nThe malicious signed kernel drivers\r\nThe February 2023 ransomware incident we observed proves that ransomware operators and their affiliates have a\r\nhigh level of interest in gaining privileged-level access for the ransomware payloads they use in their attacks.\r\nhttps://www.trendmicro.com/en_us/research/23/e/blackcat-ransomware-deploys-new-signed-kernel-driver.html\r\nPage 1 of 9\n\nThey normally use ransomware families that incorporate low-level components to avoid detection from security\r\nproducts once the final payloads are dropped. By mapping the kill chains of these kernel-level threats, we found\r\nthat most kernel-related payloads are usually found during the defense evasion phasenews- cybercrime-and-digital-threats, as shown in Figure 1. \r\nopen on a new tab\r\nFigure 2. Most kernel-related payloads are found during the defense evasion phase\r\nSome ransomware attacks try to comply with Microsoft code-signing requirements. This gives malicious actors\r\nthe flexibility to compile kernel modules designed for very specific tasks (usually involving defense impairing and\r\nevasion) before dropping the actual payload. Ransomware operators can do one of the following approaches:\r\n1. Use a code-signing certificate that was either leaked, stolen from a compromised environment, or purchased\r\nfrom an underground market.\r\n2. Obtain a new valid code-signing certificate by impersonating a legitimate entity and following Microsoft’s\r\nprocess for getting the cross-signing certificate (back when Microsoft still allowed cross signing for kernel-mode\r\ncode), abusing Microsoft’s portal for issuing signed kernel modules, and purchasing valid code-signing certificates\r\nand/or Extended Validation (EV) certificates that are tied to real identities from underground markets.\r\nhttps://www.trendmicro.com/en_us/research/23/e/blackcat-ransomware-deploys-new-signed-kernel-driver.html\r\nPage 2 of 9\n\nopen on a new tab\r\nFigure 3. Diagram showing how a threat actor complies with Microsoft code-signing requirements\r\nAnalysis of a signed driver\r\nIn this section, we will examine a signed driver (ktgn.sys) used in the February BlackCat attacks. Figure 4 shows\r\nother examples of these new signed drivers and how they are being used as part of the BlackCat affiliate’s defense\r\nevasion routine.\r\nhttps://www.trendmicro.com/en_us/research/23/e/blackcat-ransomware-deploys-new-signed-kernel-driver.html\r\nPage 3 of 9\n\nopen on a new tab\r\nFigure 4. The dropped files by a BlackCat affiliate in the defense evasion phase\r\nThe User Agent tjr.exe, which is protected via a virtual machine, drops the kernel driver to the user temporary\r\ndirectory C:\\%User%\\AppData\\Local\\Temp\\Ktgn.sys. It then installs the dropped driver with the name ktgn and\r\nthe start value = System (to start when the system restarts). From our analysis of what occurs when a user\r\ninterfaces with this driver, we observed that it only uses one of the exposed Device Input and Output Control\r\n(IOCTL) code — Kill Process, which is used to kill security agent processes installed on the system.\r\nMeanwhile the driver ktgn.sys, which is signed using a currently revoked valid digital signature from “BopSoft”\r\n(which had also been previously used by other threat actors for code signing) can successfully be loaded on a 64-\r\nbit Windows installation where signing policies are enforced. The driver is obfuscated using Safengine Protector\r\nv2.4.0.0products tool, which renders static analysis techniques unreliable. By loading the obfuscated driver and\r\nhttps://www.trendmicro.com/en_us/research/23/e/blackcat-ransomware-deploys-new-signed-kernel-driver.html\r\nPage 4 of 9\n\ntrying to build a user mode client to observe the exposed IOCTL interface, we can determine the function of each\r\nIOCTL code. Finally, we observed the same kernel driver being signed by different code-signing certificates.\r\nDriver variants (SHA256)\r\nSigner\r\nname\r\nValid\r\nusage\r\nCurrent status Issuer\r\n994e3f5dd082f5d82f9cc84108a60d359910ba79 BopSoft\r\nCode\r\nsigning\r\nExplicitly revoked\r\nby its issuer\r\nThawte\r\nf6793243ad20359d8be40d3accac168a15a327fb YI ZENG\r\nCode\r\nsigning\r\nExplicitly revoked\r\nby its issuer\r\nVeriSign\r\nTable 1. The driver variants with different signers\r\nSince it does not register an unload callback function, the driver can only be unloaded if the service registry key is\r\ndeleted or modified followed by a system restart.\r\nopen on a new tab\r\nFigure 6. The service cannot be stopped by the service control manager\r\nA symbolic link with the name \\\\.\\keHeperDriverLink is created that allows the user mode client to connect and\r\ncommunicate with it. Note that this link only allows for one connection — if more than one client tries to connect\r\nto it simultaneously, the system will crash.\r\nhttps://www.trendmicro.com/en_us/research/23/e/blackcat-ransomware-deploys-new-signed-kernel-driver.html\r\nPage 5 of 9\n\nopen on a new tab\r\nFigure 8. Checking if another user mode process is trying to connect to the driver\r\nThe exposed IOCTL Interface\r\nThis client supports ten different commands, with each command implementing a specific function that is\r\nexecuted from the kernel driver with the appropriate IOCTL interface exposed. Communication between the\r\ndriver and the user mode client occurs using the IRP_MJ_DEVICIDE_CONROL handler via the following codes:\r\nIOCTL Code Description\r\n222088h Activate Driver\r\n22208Ch Deactivate Driver\r\n222094h Kill Process\r\n222184h Delete File\r\n222188h Force Delete File\r\n22218Ch Copy File\r\n222190h Force Copy File\r\n2221C8h Register Process/Thread Object notification\r\n2221C4h Unregister Process/Thread Object notification\r\n222264h Reboot the system\r\nTable 2. Each IOCTL code and their function\r\nBased on our analysis of the kernel driver, it seems to still be under development and testing since it is not\r\nstructured well and some of its functions currently cannot be used. The following subsections provide details on\r\nthe various IOCTL Interfaces.\r\nhttps://www.trendmicro.com/en_us/research/23/e/blackcat-ransomware-deploys-new-signed-kernel-driver.html\r\nPage 6 of 9\n\nIOCTL 222088h must be called first to activate the driver before any other operation can be performed. If this\r\ncode is not called, the driver will not accept any operation and will return the message\r\nSTATUS_ACCESS_DENIED. The user mode client sends this activation byte array to the driver.\r\nThe activation is a simple byte comparison against a hard coded byte array with the size 0x42 located in the driver.\r\nIf the comparison passes, it will set a BOOLEAN flag, which will be checked before any operation.\r\nopen on a new tab\r\nFigure 10. Replicating the activation bytes to test driver operations\r\nIOCTL 22208Ch is called after the user mode client finishes its operation to unset the flag that was previously set\r\nin IOCTL Code 222088h. This will deactivate the driver and stop it from processing any new operation.\r\nThe client will need to pass the same byte array passed in IOCTL code 222088h for the operation to be\r\nsuccessfully completed.\r\nIOCTL 222094h is used to kill any user mode process (even protected ones). Tt receives the Process ID from the\r\nuser agent then creates a kernel thread in the target process context. The created kernel thread calls the\r\nZwTerminateProcess API to terminate the target process. \r\nIOCTL 222184h is used to delete specific file paths (as shown in Figure 11).\r\nIOCTL 222188h is used to force delete files. To do this, the kernel driver does the following:\r\n1. It tries to open all processes on the system using brute-force methods (starting from PID=0x4 to PID=\r\n0x27FFD)\r\n2. When it successfully opens a process, it tries to reference all handles inside the process, again using a\r\nbrute-force method (starting from HANDLE=0x4 to HANDLE = 0x27FFD)\r\n3. When it successfully references a handle, it uses the ObQueryNameString API to map the handle to a\r\nname. When a match is found, the kernel driver closes the handle.\r\nThis operation will ensure that all references to the file will be closed and the operation can be successfully\r\ncompleted without any errors stating that the file is being used by other applications.\r\nIOCTL 22218Ch is used to copy files. \r\nIOCTL 222190h is used to force copy files. The driver uses the same operation as the one used for force deletion\r\n(IOCTL Code: 222188h). It closes all references to the files from all processes using brute-force methods, then\r\ncopies the file.\r\nhttps://www.trendmicro.com/en_us/research/23/e/blackcat-ransomware-deploys-new-signed-kernel-driver.html\r\nPage 7 of 9\n\nBoth IOCTL 2221C4h and 2221C8h are used to register and unregister Process/Thread Notification callbacks.\r\nHowever, both paths are unreachable at the time of writing, which indicates that they are still under development\r\nor testing.\r\nIOCTL 222264h Is used to reboot the system by calling the HalReturnToFirmware API.\r\nConclusion\r\nMalicious actors that are actively seeking high-privilege access to the Windows operating system use techniques\r\nthat attempt to combat the increased protection on users and processes via endpoint protection platform (EPP) and\r\nendpoint detection and response (EDR) technologies. Because of these added layers of protection, attackers tend\r\nto opt for the path of least resistance to get their malicious code running via the kernel layer (or even lower levels).\r\nThis is why we believe that such threats will not disappear from threat actors’ toolkits anytime soon.\r\nMalicious actors will continue to use rootkits to hide malicious code from security tools, impair defenses, and fly\r\nunder the radar for long periods. These rootkits will see heavy use from sophisticated groups that have both the\r\nskills to reverse engineer low-level system components and the required resources to develop such tools. These\r\nmalicious actors also tend to possess enough financial resources to either purchase rootkits from underground\r\nsources or to buy code-signing certificates to build a rootkit. This means that the main danger involving these\r\nkinds of rootkits lie in their ability to hide complex targeted attacks that will be used early in the kill chain,\r\nallowing an attacker to impair defenses before the actual payloads are launched in victim environments.\r\nRecommendations and solutions\r\nCode signing certificates can often be abused by threat actors since they provide an additional layer of obfuscation\r\nin their attacks. For organizations, compromised keys present not only a security risk, but can also lead to a loss of\r\nreputation and trust in the original signed software. Businesses should aim to protect their certificates by\r\nimplementing best practices such as reducing access to private keys, which reduces the risk of unauthorized access\r\nto the certificate. Employing strong passwords and other authentication methods for private keys can also help\r\nprotect them from being stolen or compromised by malicious actors. Furthermore, using separate test signing\r\ncertificates (for prerelease code used in test environments) minimizes the chances that the actual release signing\r\ncertificates are abused in an attack.\r\nFor general ransomware attack protection, organizations can implement a systematic security framework that\r\nallocates resources towards establishing a robust defense strategy. Here are some recommended guidelines:\r\nTake inventory of assets and data\r\nIdentify authorized and unauthorized devices and software\r\nAudit event and incident logs\r\nManage hardware and software configurations\r\nGrant admin privileges and access only when necessary\r\nMonitor network ports, protocols, and services\r\nEstablish a software allowlist for legitimate applications\r\nImplement data protection, backup, and recovery measures\r\nhttps://www.trendmicro.com/en_us/research/23/e/blackcat-ransomware-deploys-new-signed-kernel-driver.html\r\nPage 8 of 9\n\nEnable multifactor authentication (MFA)\r\nDeploy the latest versions of security solutions across all layers of the system\r\nWatch for early signs of an attack\r\nBy adopting a multifaceted approach to securing potential entry points, such as endpoints, emails, webs, and\r\nnetworks, organizations can detect and protect against malicious elements and suspicious activities, thereby\r\nsafeguarding themselves from ransomware attacks.\r\nA multilayered approach can help organizations guard possible entry points into their system (endpoint, email,\r\nweb, and network). Security solutions can detect malicious components and suspicious behavior, which can help\r\nprotect enterprises. \r\nTrend Vision One™products provides multilayered protection and behavior detection, which helps\r\nblock questionable behavior and tools before the ransomware can do any damage. \r\nTrend Micro Apex One™products offers next-level automated threat detection and response against\r\nadvanced concerns such as fileless threats and ransomware, ensuring the protection of endpoints. \r\n \r\nIndicators of Compromise\r\nThe indicators of compromise for this entry can be found here.\r\nTags\r\nSource: https://www.trendmicro.com/en_us/research/23/e/blackcat-ransomware-deploys-new-signed-kernel-driver.html\r\nhttps://www.trendmicro.com/en_us/research/23/e/blackcat-ransomware-deploys-new-signed-kernel-driver.html\r\nPage 9 of 9",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA",
		"Malpedia"
	],
	"references": [
		"https://www.trendmicro.com/en_us/research/23/e/blackcat-ransomware-deploys-new-signed-kernel-driver.html"
	],
	"report_names": [
		"blackcat-ransomware-deploys-new-signed-kernel-driver.html"
	],
	"threat_actors": [
		{
			"id": "aa73cd6a-868c-4ae4-a5b2-7cb2c5ad1e9d",
			"created_at": "2022-10-25T16:07:24.139848Z",
			"updated_at": "2026-04-10T02:00:04.878798Z",
			"deleted_at": null,
			"main_name": "Safe",
			"aliases": [],
			"source_name": "ETDA:Safe",
			"tools": [
				"DebugView",
				"LZ77",
				"OpenDoc",
				"SafeDisk",
				"TypeConfig",
				"UPXShell",
				"UsbDoc",
				"UsbExe"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434328,
	"ts_updated_at": 1775791470,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/5a517ee054fb55d3c33f85e80cdd793a482389ca.pdf",
		"text": "https://archive.orkl.eu/5a517ee054fb55d3c33f85e80cdd793a482389ca.txt",
		"img": "https://archive.orkl.eu/5a517ee054fb55d3c33f85e80cdd793a482389ca.jpg"
	}
}