What’s new: A new EDR killer tool, an evolution of ‘EDRKillShifter’ developed by RansomHub, has been identified in attacks by eight ransomware groups. This tool disables security products on compromised systems, facilitating the deployment of ransomware payloads and lateral movement within networks. It uses a heavily obfuscated binary that injects itself into legitimate applications and employs a malicious driver to gain kernel privileges, targeting various security vendors including Sophos, Microsoft Defender, and Kaspersky.
Who’s affected
Eight ransomware groups are utilizing this new EDR killer tool: RansomHub, Blacksuit, Medusa, Qilin, Dragonforce, Crytox, Lynx, and INC. The tool targets multiple antivirus and EDR solutions, making systems vulnerable to ransomware attacks.
What to do
- Review and update endpoint security measures to detect and mitigate the use of EDR killer tools.
- Monitor for unusual activity related to legitimate applications and drivers.
- Implement strict controls around the use of drivers and certificates within your environment.
- Stay informed about the latest threats and share intelligence with other organizations.
