Dirty App: PoorTry/Burncigar Toolkit & RootKit Malware – How To Stop and Remove

Cybersecurity threats are continually evolving, and the latest development in ransomware tactics is particularly alarming. The PoorTry kernel-mode Windows driver, once used to disable Endpoint Detection and Response (EDR) solutions, has now transformed into a potent EDR wiper. This malicious tool is designed to erase vital files that security software depends on, leaving systems exposed and making recovery difficult. In this article, we’ll explore how PoorTry has evolved and how you can protect your system with anti-malware software that detects and removes this dangerous threat.

Understanding PoorTry: From Disabling to Wiping EDR

Initially developed in 2021, PoorTry—also known as “BurntCigar”—was created to disable EDR systems, making it easier for ransomware gangs like BlackCat, Cuba, and LockBit to carry out their attacks. What began as a tool for deactivation quickly gained notoriety when its developers managed to get the malicious drivers signed through Microsoft’s attestation signing process. This breakthrough made PoorTry even more dangerous, as it could now operate with a level of legitimacy that was harder to detect.

Over the years, PoorTry continued to evolve. In 2022 and 2023, its developers integrated advanced obfuscation techniques using tools like VMProtect, Themida, and ASMGuard. These methods helped the malware evade detection by packing the driver and its loader (Stonestop) in ways that were difficult for traditional security software to unpack and analyze.

However, the most significant shift occurred in mid-2024. PoorTry evolved from merely disabling EDR systems to actively wiping them out, deleting crucial files that are necessary for the operation of security software. This shift represents a more aggressive approach by ransomware gangs, who now aim to cripple security defenses entirely before moving on to the encryption phase of their attack.

How PoorTry Operates

PoorTry’s new capabilities allow it to systematically delete files that are critical for EDR functionality. The process begins with a user-mode component that identifies the installation directories of security software. It then targets specific files—such as executable files (EXEs) and dynamic link libraries (DLLs)—that are essential for the security software to function.

This targeted deletion ensures that the EDR cannot be restored or restarted, leaving the system vulnerable to the subsequent encryption attack. PoorTry’s ability to delete files by name or type also gives it a level of precision that minimizes unnecessary actions during the attack, reducing the chances of early detection.

The Importance of Anti-Malware Software in Detecting and Removing PoorTry

Given PoorTry’s sophisticated approach, it’s crucial to have robust anti-malware software that can detect and remove this threat before it causes irreversible damage. Here’s how an advanced anti-malware solution can help:

1. Real-Time Threat Detection
   Modern anti-malware software continuously monitors your system for signs of suspicious activity. By recognizing the behavioral patterns associated with PoorTry, such as the unauthorized deletion of critical files, the software can trigger an immediate alert.
2. Automated Malware Removal
   Upon detecting PoorTry, the anti-malware software can automatically quarantine or remove the infected files. This automated response is crucial in preventing the malware from completing its destructive tasks.
3. System Repair and Recovery
   After removing PoorTry, advanced anti-malware solutions can assist in repairing any damage caused by the malware. This includes restoring or reinstalling any deleted EDR components, ensuring your system is fully protected once again.
4. Proactive Defense Updates
   Anti-malware software is regularly updated with the latest threat definitions, including the evolving versions of PoorTry. This proactive approach ensures that your system remains protected against new strains of the malware.

How to Ensure Your System is Protected

To safeguard your system from the PoorTry malware, follow these steps:

• Install a Reliable Anti-Malware Program
  Choose a trusted anti-malware software that offers comprehensive protection against ransomware and other advanced threats. Ensure it includes features like real-time threat detection, automated removal, and system recovery tools.
• Keep Your Software Updated
  Regularly update your operating system, applications, and security software. These updates often include critical patches that protect against newly discovered vulnerabilities.
• Run Regular Scans
  Schedule regular system scans with your anti-malware software to detect any potential threats early. Even if you don’t notice any suspicious activity, these scans can uncover hidden threats that might be lurking on your system.
• Educate Yourself on Security Best Practices
  Stay informed about the latest cybersecurity threats and best practices. Awareness is your first line of defense against threats like PoorTry.

Don’t Let Ransomware Gangs Bully You

The evolution of PoorTry into an EDR-wiping malware represents a significant escalation in the tactics used by ransomware gangs. This threat can leave your system defenseless, making it crucial to have a reliable anti-malware solution in place. By installing advanced anti-malware software that can detect, remove, and repair the damage caused by PoorTry, you can protect your system from this and future cyber threats. Don’t wait until it’s too late—secure your system today with the right tools.