RansomHub ransomware operators are deploying new malware, EDRKillShifter. It works by disabling security software after exploiting vulnerable drivers in targeted systems.
RansomHub ransomware operators have introduced a new threat, EDRKillShifter, which undermines endpoint detection and response (EDR) systems by exploiting vulnerable drivers on targeted devices. Discovered by Sophos researchers during a May 2024 investigation, EDRKillShifter uses a legitimate, yet flawed driver to escalate system privileges and disable security solutions.
The malware's process involves launching a password-protected binary to decrypt and execute an embedded payload, which then exploits vulnerable drivers like RentDrv2 and ThreatFireMonitor to disable active EDR protections.
Despite its advanced capabilities, EDRKillShifter’s initial attempts to disable Sophos protection and execute ransomware were unsuccessful due to Sophos’s CryptoGuard feature. This malware, which appears to be compiled on a Russian-localized system, can deploy various driver payloads based on the attackers' needs and continuously targets processes listed in its code.
According to Sophos News, the organization saw an increase in the “sophistication of malware designed to disable EDR systems on an infected system” since 2022. After Sophos published data on AuKill, an EDR killer tool, Sophos X-Ops discovered that the tool was being sold “within criminal marketplaces.”
Sophos also noted that multiple threat actors are likely using the tool. Still, it’s not foolproof–at one point it attempted to attack a computer with Sophos protection, but the tool failed.
Sophos discovered in their investigation that EDRKillShifter can provide multiple driver payloads tailored to the attackers' requirements. “After the malware creates a new service for the driver, starts the service, and loads the driver, it enters an endless loop that continuously enumerates the running processes, terminating processes if their name appears in a hardcoded list of targets," Sophos continued.
See also: HIPAA Compliant Email: The Definitive Guide
Endpoint detection and response (EDR) is a cybersecurity solution designed to monitor, detect, and respond to threats on endpoints such as computers, servers, and mobile devices. An EDR system continuously collects and analyzes data from these endpoints, looking for suspicious activities or patterns that could indicate a security breach. When a threat is detected, EDR tools can automatically initiate a response, such as isolating the affected device, blocking malicious processes, or alerting security teams for further investigation.
By providing real-time visibility into endpoint activities and enabling swift response to threats, EDR helps protect organizations from advanced cyberattacks, including ransomware, malware, and other malicious activities that could compromise sensitive data and disrupt operations.
Cybercriminals are always advancing their attack tactics, and the emergence of EDRKillShifter indicates that sophistication and persistence are growing. EDRKillShifter also demonstrates how ransomware operators are increasingly targeting the tools designed to protect systems—endpoint detection and response (EDR) solutions—by exploiting legitimate yet vulnerable drivers. This tactic allows cybercriminals to bypass traditional security measures, forcing organizations to evolve defenses.
The failure of EDRKillShifter to disable Sophos protection in this instance shows that proactive and layered security strategies can thwart even advanced attacks. It also demonstrates the need for constant vigilance and adaptation in cybersecurity. As ransomware attacks become more complex, understanding these emerging threats is crucial for organizations to protect their systems, data, and operations from potentially devastating consequences.
See also: Preventing the spread of cybersecurity attacks in healthcare
Ransomware is malicious software designed to encrypt a victim's data or lock them out of their systems until a ransom is paid to the attacker. It involves infiltrating a device through phishing emails, malicious websites, or software vulnerabilities, encrypting files, and demanding payment in cryptocurrency for the decryption key.
EDR can detect and alert on vulnerabilities within endpoints, such as outdated software or unpatched systems. Some EDR solutions also provide remediation recommendations or automated patch management to address these vulnerabilities.