Threat Database Malware PoorTry/BurntCigar

PoorTry/BurntCigar

The cyber threat landscape has witnessed the evolution of PoorTry, a kernel-mode Windows driver that has taken a more destructive turn. Designed initially to disable Endpoint Detection and Response (EDR) solutions, PoorTry has now become an EDR wiper. This evolution allows ransomware gangs to delete files crucial for security software operations, rendering systems defenseless and making recovery far more challenging.

The Evolution of PoorTry: From Deactivation to Destruction

PoorTry, also known by its alias "BurntCigar," has been a significant tool in the arsenal of ransomware groups since its inception in 2021. Initially, it was developed to disable EDR and other security measures. Over time, it has been utilized by notorious ransomware gangs, including BlackCat, Cuba and LockBit. Its development reached a notable milestone when its creators exploited Microsoft's attestation signing process, allowing the malicious drivers to be signed and used with greater efficacy.

Throughout 2022 and 2023, PoorTry continued to evolve, enhancing its ability to evade detection. By incorporating obfuscation tools like VMProtect, Themida and ASMGuard, it became more adept at hiding its malicious intent. However, the most concerning development occurred in July 2024 when PoorTry transitioned from merely disabling EDR systems to wiping them out entirely.

How PoorTry Works

The latest iteration of PoorTry begins with its user-mode component, which meticulously identifies the installation directories of security software and pinpoints critical files. This information is then relayed to the kernel-mode component, which executes the attack by systematically terminating security processes and deleting essential files.

PoorTry's ability to target files by name or type adds a layer of operational flexibility, enabling it to cover a broad spectrum of EDR products. This precision ensures that only the most critical files are deleted, minimizing the chances of early detection while maximizing the attack's impact during the encryption phase.

The Implications of PoorTry’s Evolution

The shift from EDR deactivation to wiping represents a meaningful escalation in the tactics employed by ransomware actors. By removing the ability to recover or restart EDR systems, attackers can proceed with encryption unchallenged, leaving systems vulnerable and defenseless.

Despite the efforts of cybersecurity firms like Trend Micro and Sophos, which have tracked PoorTry's evolution and warned about its increasing capabilities, the developers behind this tool have consistently adapted to new defensive measures. This adaptability underscores the ongoing challenge faced by security professionals in staying ahead of such advanced threats.

How to Remove PoorTry and Protect Your System

Given the aggressive nature of PoorTry, it's essential to take immediate action if you suspect your system has been compromised. Here's a step-by-step guide to removing PoorTry and safeguarding your system:

  1. Run a Full System Scan with an Anti-Malware Program: Start by using a reputable anti-malware program to perform a comprehensive scan of your system. Ensure that the application is up-to-date with the latest threat definitions to detect PoorTry effectively.
  2. Isolate the Infected System: If PoorTry is detected, isolate the infected system from your network to prevent further spread of the malware.
  3. Remove the Malware: Follow the anti-malware program's instructions to remove PoorTry from your system. This may involve quarantining or deleting infected files. Make sure that all traces of the malware are eliminated.
  4. Restore Your Security Software: After removing PoorTry, you may need to reinstall or restore your EDR and other security solutions to ensure your system is protected. Double-check that all critical components of your security software are intact and functioning.
  5. Update and Harden Your System: Keep your operating system, applications, and security software up-to-date. Apply additional security measures, such as network segmentation and multi-factor authentication, to diminish the risk of future attacks.
  6. Monitor for Further Threats: Continue to monitor your system for any signs of reinfection or other suspicious activity. Stay vigilant and be proactive in applying security patches and updates.

PoorTry's evolution into an EDR wiper marks a new level of aggression in the tactics of ransomware gangs. By understanding how this malware operates and taking swift action to remove it, you can protect your system from further damage. Use a reliable anti-malware program to detect and eliminate PoorTry and ensure that your security defenses are robust enough to withstand future threats. Stay one step ahead in the ever-changing battle against cybercrime.

PoorTry/BurntCigar Video

Tip: Turn your sound ON and watch the video in Full Screen mode.

Trending

Most Viewed

Loading...