Poortry Driver Evolved Into an EDR-Wiping Tool Used in Ransomware Intrusions
Sophos reported that new variants of the Poortry malicious kernel driver and its Stonestop loader have evolved into a more destructive tool used to disable security defenses during ransomware attacks. Previously known for terminating processes, the latest samples can patch kernel callbacks, interfere with filter drivers, kill security processes, and delete critical EDR files from disk, effectively shifting Poortry from an EDR killer to an EDR wiper. Researchers said the malware continues to develop even after Microsoft closed the attestation-signing loophole that earlier versions abused.
The toolset has been linked to major ransomware operations including CUBA, BlackCat, Medusa, LockBit, and RansomHub, where it is used to clear the way for encryption by impairing endpoint protection. Sophos observed attackers switching rapidly between differently signed Poortry variants during intrusions, suggesting access to multiple stolen or leaked certificates and an adaptive evasion strategy. In one RansomHub-related intrusion, Poortry and Stonestop were deployed before ransomware execution, reinforcing assessments that the driver now functions as a rootkit-like sabotage platform for pre-ransomware defense evasion.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
3 events from the most recent confirmed update back to the earliest known activity.
Sophos observes Poortry file-deletion capability in active attacks
Analysis of the July 2024 RansomHub-related incident showed that the Poortry driver had gained file-deletion capabilities that Trend Micro had previously reported, and Sophos observed those capabilities in active use. Sophos said this marked an evolution from an EDR killer toward an EDR wiper.
RansomHub intrusion uses Poortry and Stonestop before ransomware deployment
In a July 2024 incident linked to RansomHub, Sophos observed attackers deploying the Poortry malicious driver and the Stonestop loader before ransomware execution. The case showed the toolset being used operationally to impair defenses during an intrusion.
Microsoft closes attestation-signing loophole abused by Poortry operators
Sophos reported that the Poortry and Stonestop toolset continued to evolve after Microsoft closed the attestation-signing loophole previously abused by its operators.
Sources
1 reference tracked. Mallory keeps watching after this page renders.
See the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Signed vulnerable drivers used to disable EDR and aid ransomware attacks
Researchers and incident responders reported continued abuse of **Bring Your Own Vulnerable Driver (BYOVD)** techniques to disable endpoint protections, including **CrowdStrike Falcon**, by loading legitimately signed but flawed Windows kernel drivers. One newly analyzed zero-day driver family included more than 15 variants with valid Microsoft signatures and an IOCTL path such as `0x22E010` that accepted a process ID and invoked `ZwOpenProcess` and `ZwTerminateProcess` from kernel mode, allowing attackers to kill protected security processes without alerts. A proof-of-concept dubbed **PoisonKiller** demonstrated successful termination of the CrowdStrike EDR process through the driver’s symbolic link, underscoring the risk created by trusted but unrevoked third-party drivers. Separate reporting from Sophos and industry coverage tied the same broader tactic to real intrusions and ransomware activity, including ongoing abuse of **Terminator** and related tools built around vulnerable **Zemana** drivers. Attackers used IOCTL flaws to place their own processes on allow lists and then terminate AV and EDR components, while some incidents showed operators switching to alternatives such as **AuKill** when initial attempts failed. Defenders were urged to combine tamper protection, strict privilege controls, patching, and aggressive blocklisting of unnecessary vulnerable drivers, as signed-driver abuse has spread from advanced actors to commodity ransomware crews and lower-tier criminals.
May 25, 2026
EDR Killer Malware Abuses Revoked EnCase Kernel Driver to Terminate Security Tools
Huntress reported an intrusion in which attackers deployed a custom **EDR killer** that disables endpoint security by abusing a legitimate but long-revoked kernel driver originally shipped with Guidance Software’s *EnCase* forensics product. The malware embeds the vulnerable driver (reported as `EnPortv.sys`) and uses a **Bring Your Own Vulnerable Driver (BYOVD)** approach: once the driver is loaded, it exposes an `IOCTL` interface that enables user-mode code to terminate arbitrary processes from kernel mode, bypassing user-mode protections including **Protected Process Light (PPL)**. The tool is described as capable of targeting **59** endpoint security products. In the observed incident, initial access was achieved by successfully authenticating to **SonicWall SSL VPN** using previously compromised credentials, with reporting noting the absence of **MFA** on the VPN account. Post-compromise activity included internal reconnaissance (e.g., ICMP ping sweeps, NetBIOS/SMB probing) and high-rate SYN activity, followed by execution of the EDR killer disguised as a legitimate utility (e.g., a firmware update tool). The malware reportedly uses a custom encoding scheme to conceal the embedded driver, writes it to disk under an OEM-like path, hides it, timestomps it to blend in, and registers it as a Windows kernel service for persistence; despite the driver’s certificate being expired and revoked for years, Windows can still load it due to signature verification and timestamping behavior.
Mar 21, 2026
Black Basta Embeds BYOVD Driver Inside Ransomware Payload to Disable EDR
**Black Basta** ransomware operators have been observed embedding a **Bring Your Own Vulnerable Driver (BYOVD)** component directly inside the ransomware payload, a shift from the more common approach of deploying an external “EDR killer” tool prior to encryption. The technique abuses a legitimate, signed but vulnerable Windows driver to gain **kernel-level** privileges and terminate security tooling (AV/EDR) on the victim host, reducing the chance defenders can stop the attack before encryption begins. Reporting attributes the finding to analysis by **Symantec** (and the **Carbon Black Threat Hunter Team**), which described the embedded-driver approach as a notable evolution in Black Basta tradecraft and consistent with broader ransomware trends toward BYOVD-based defense evasion. One account also links the activity to the **Cardinal** cybercrime group and notes the behavior had not been seen in prior Black Basta campaigns, suggesting either a retooling or a renewed operational tempo that could be adopted by other ransomware families seeking to reliably neutralize endpoint protections.
Mar 21, 2026