New EDR killer tool used by eight different ransomware groups

What’s new: A new EDR killer tool, an evolution of ‘EDRKillShifter’ developed by RansomHub, has been identified in attacks by eight ransomware groups. This tool disables security products on compromised systems, facilitating the deployment of ransomware payloads. It employs a heavily obfuscated binary that injects itself into legitimate applications and uses a malicious driver to gain kernel privileges, allowing it to terminate security processes from various vendors.

Who’s affected

The tool targets security products from vendors including Sophos, Microsoft Defender, Kaspersky, Symantec, Trend Micro, SentinelOne, Cylance, McAfee, F-Secure, HitmanPro, and Webroot. The ransomware groups utilizing this tool include RansomHub, Blacksuit, Medusa, Qilin, Dragonforce, Crytox, Lynx, and INC.

What to do

• Review and update endpoint security configurations to ensure they are resilient against kernel-level attacks.
• Monitor for indicators of compromise associated with the new EDR killer tool, as detailed in the provided GitHub repository.
• Consider implementing additional layers of security to detect and respond to potential EDR killer activities.

Sources

• BleepingComputer