A cybercrime group associated with RansomHub ransomware has been utilizing a new tool called EDRKillShifter to disable endpoint detection and response (EDR) software on compromised hosts [2] [3] [6].

Description

This tool [1] [2] [3] [4] [5] [6], discovered by cybersecurity company Sophos during an incident in May 2024, failed to terminate Sophos protection on the targeted computer [2] [4]. EDRKillShifter operates in three steps to exploit a vulnerable legitimate driver and disable EDR protection [2]. It is believed that multiple attackers are using this tool [2], which can deliver various driver payloads to gain elevated privileges and disarm EDR software [6]. RansomHub [1] [2] [3] [4] [5] [6], suspected to be a rebrand of the Knight ransomware [6], leverages known security flaws to gain initial access and drop legitimate remote desktop software for persistent access [6]. To mitigate this threat [6], it is recommended to keep systems up-to-date [6], enable tamper protection in EDR software [6], and practice strong security hygiene for Windows roles [6]. This incident highlights the increasing sophistication of malware designed to disable EDR systems on infected hosts [5], as more organizations adopt EDR tooling to safeguard endpoints. Previous attacks involving RansomHub on organizations like Change Healthcare [4], Frontier Communications [4], and Christie’s auction house have raised concerns among security professionals, who have also noted the discovery of another EDR-killing tool called AuKill by Sophos researchers last year.

Conclusion

Organizations must remain vigilant and adaptive to combat evolving threats like EDRKillShifter [1]. The discovery of such tools emphasizes the ongoing arms race between cybercriminals and cybersecurity professionals [1], highlighting the need for continuous improvement in security measures and practices.

References

[1] https://gbhackers.com/ransomware-edr-killer-tool/
[2] https://securityaffairs.com/167105/cyber-crime/ransomhub-tool-kill-edr-software.html
[3] https://cyber.vumetric.com/security-news/2024/08/15/ransomhub-group-deploys-new-edr-killing-tool-in-latest-cyber-attacks/
[4] https://www.scmagazine.com/news/cybercrime-group-disables-edr-software-to-launch-ransomhub-ransomware
[5] https://news.sophos.com/en-us/2024/08/14/edr-kill-shifter/
[6] https://thehackernews.com/2024/08/ransomhub-group-deploys-new-edr-killing.html