#Ransomware crews add '#EDR killers' to their arsenal – and some aren't even malware
Criminalss are disabling #security tools early in attacks, Talos says
Ransomware crews are increasingly using programs like #EDRSilencer, #EDRSandblast, #EDRKillShifter, and Terminator to either modify or completely disable endpoint detection and response (EDR) products.
https://www.theregister.com/2025/03/31/ransomware_crews_edr_killers/

Shifting the sands of RansomHub’s EDRKillShifter
#EDRKillShifter #MedusaRansomware #PLAY #BianLian #RansomHub
https://www.welivesecurity.com/en/eset-research/shifting-sands-ransomhub-edrkillshifter/

#ESETresearch discovered previously unknown links between the #RansomHub, #Medusa, #BianLian, and #Play ransomware gangs, and leveraged #EDRKillShifter to learn more about RansomHub’s affiliates. @SCrow357 https://www.welivesecurity.com/en/eset-research/shifting-sands-ransomhub-edrkillshifter/
RansomHub emerged in February 2024 and in just three months reached the top of the ransomware ladder, recruiting affiliates from disrupted #LockBit and #BlackCat. Since then, it dominated the ransomware world, showing similar growth as LockBit once did.
Previously linked to North Korea-aligned group #Andariel, Play strictly denies operating as #RaaS. We found its members utilized RansomHub’s EDR killer EDRKillShifter, multiple times during their intrusions, meaning some members likely became RansomHub affiliates.
BianLian focuses on extortion-only attacks and does not publicly recruit new affiliates. Its access to EDRKillShifter suggests a similar approach as Play – having trusted members, who are not limited to working only with them.
Medusa, same as RansomHub, is a typical RaaS gang, actively recruiting new affiliates. Since it is common knowledge that affiliates of such RaaS groups often work for multiple operators, this connection is to be expected.
Our blogpost also emphasizes the growing threat of EDR killers. We observed an increase in the number of such tools, while the set of abused drivers remains quite small. Gangs such as RansomHub and #Embargo offer their killers as part of the affiliate program.
IoCs available on our GitHub: https://github.com/eset/malware-ioc/tree/master/ransomhub

Nouvelle technique de piratage qui utilise les outils d’accessibilité Windows pour échapper aux antivirus https://whiteandhack.wordpress.com/2024/12/13/nouvelle-technique-de-piratage-qui-utilise-les-outils-daccessibilite-windows-pour-echapper-aux-antivirus/ #Antivirus, #EDRKillShifter, #Malware, #Piratage, #Ransomware, #Technique, #Windows

RansomHub ransomware operators have been spotted deploying new #EDRKillShifter malware to disable endpoint detection and response (EDR) security software in Bring Your Own Vulnerable Driver (BYOVD) attacks - #ransomeware #cyberattacks https://www.bleepingcomputer.com/news/security/ransomware-gang-deploys-new-malware-to-kill-security-software/

Sophos currently detects EDRKillShifter as Troj/KillAV-KG. In addition, behavioral protection rules that protect against defense evasion and privilege escalation block these system calls from going through. #EDRKillShifter is a dud on boxes we protect. /end

https://news.sophos.com/en-us/2024/08/14/edr-kill-shifter/

While the #EDRKillShifter tool failed to work on machines in the field protected by our software, we did manage to get it to successfully run in a lab environment by disabling the tamper protection for Sophos endpoint protection tools. Only with tamper protection disabled was this tool able to kill a process we protected. 6/

The two drivers we've seen abused are known in the industry as #BYOVD payloads. One is a file called RentDrv2 (hosted on https://github.com/keowu/BadRentdrv2) and the other is named ThreatFireMonitor (also on Github, with a proof of concept at https://github.com/BlackSnufkin/BYOVD/tree/main/TfSysMon-Killer).

No matter which driver gets used, #EDRKillShifter writes them out to the %temp% directory using a random 10-digit filename. 5/

As it executes, #EDRKillShifter loads an embedded, encrypted resource into memory. That code extracts the next layer of tool, the abusable #BYOVD driver and a #Go binary.

It uses a SHA-256 hash of the initial password (used to execute the tool) as a decryption key for these second-layer payloads. 4/

The #EDRKillShifter utility is a #malware loader designed to deploy one of several different exploitable, legitimate #BYOVD drivers and abuse them to kill a wide range of endpoint protection. We've observed it used in a few recent incidents, so we wanted to spotlight how it works. 2/

When the threat actors behind the #RansomHub #ransomware want to attack a target, they go to some lengths to prevent EDR or endpoint protection software from ruining their day.

The latest blog from #Sophos #XOps investigates how they do that, using a tool we call #EDRKillShifter

https://news.sophos.com/en-us/edr-kill-shifter/