The PoorTry Windows driver, initially created to disable Endpoint Detection and Response (EDR) solutions, has significantly advanced into a sophisticated EDR wiper tool. Originally known for its ability to turn off security software, PoorTry has evolved to include functionality that systematically deletes critical files essential for EDR systems. This transition marks a notable shift in ransomware tactics, as PoorTry now not only disables but also destroys key components of security solutions, making recovery and restoration far more difficult for affected organizations.
Trend Micro first alerted the cybersecurity community about the evolving capabilities of PoorTry in May 2023. Recent findings by Sophos confirm that this evolved version of PoorTry is actively used in the wild, as evidenced by a July 2024 RansomHub attack. In these attacks, PoorTry’s advanced wiper functionality targets and deletes executable files (EXEs), dynamic link libraries (DLLs), and other critical components of EDR systems. This method ensures that the security software cannot be reactivated, leaving the system vulnerable during subsequent stages of the ransomware attack.
The latest PoorTry variants utilize several advanced techniques to evade detection. These include signature timestamp manipulation and the use of metadata from legitimate software, which helps the malware bypass security checks on Windows systems. Additionally, attackers have adopted a “certificate roulette” strategy, deploying multiple payload variants signed with different certificates to increase the likelihood of successful execution. This approach reflects a high level of sophistication and adaptability in ransomware operations.
The evolution of PoorTry underscores the growing sophistication of ransomware threats and the need for enhanced defensive strategies. Organizations must remain vigilant and proactive in monitoring for such advanced threats, employing robust detection and response measures to counter the evolving tactics used by cybercriminals. As ransomware tools like PoorTry continue to advance, it is crucial for security teams to stay informed and adapt their defenses to effectively address these emerging challenges.
Reference: