8 Ransomware Groups Now Using This EDR-Bypassing Tool
▼ Summary
– A new EDR killer tool, developed by RansomHub, is being used by eight ransomware gangs to disable security products and deploy payloads undetected.
– The tool uses an obfuscated binary that self-decodes at runtime and injects into legitimate applications, leveraging stolen/expired certificates for driver loading.
– Once active, the malicious driver mimics legitimate files (e.g., CrowdStrike Falcon) and kills AV/EDR processes, targeting vendors like Sophos, Microsoft Defender, and Kaspersky.
– Sophos researchers confirm the tool is shared collaboratively among threat groups, with each attack using a distinct build rather than a leaked binary.
– Similar EDR-killing tools like AuKill and AvNeutralizer have been used by ransomware gangs, highlighting a common tactic in the cybercriminal ecosystem.
A powerful new tool designed to bypass endpoint security systems has emerged as the weapon of choice for at least eight major ransomware groups. Security analysts have identified this sophisticated utility as an advanced version of previous EDR evasion techniques, enabling attackers to disable critical defenses before launching their encryption attacks.
The malicious software operates by exploiting vulnerable drivers to gain kernel-level access, allowing threat actors to neutralize security products from leading vendors. Sophos researchers tracking the activity confirm its use by prominent ransomware operations including RansomHub, Blacksuit, Medusa, and Qilin, among others.
Unlike typical malware, this tool employs heavy obfuscation and self-decoding mechanisms to evade detection. It searches for specific drivers, often using stolen or expired digital certificates, to execute a “bring your own vulnerable driver” (BYOVD) attack. Once loaded, the driver impersonates legitimate security software while systematically terminating processes tied to antivirus and EDR solutions.
Security products from major vendors such as Microsoft Defender, Kaspersky, SentinelOne, and CrowdStrike are among the primary targets. The tool’s ability to disable these defenses gives ransomware operators free rein to escalate privileges, move laterally across networks, and deploy payloads without interference.
What makes this development particularly concerning is the collaborative nature of its distribution. Rather than relying on leaked binaries, evidence suggests threat groups are actively sharing and modifying the tool among themselves. Each variant shows slight differences in driver names and targeted security software, but all share common packing techniques and attack methodologies.
This isn’t the first time ransomware actors have pooled resources to bypass defenses. Earlier tools like EDRKillShifter and AuKill followed similar patterns, with groups like LockBit and Medusa Locker adopting them in past campaigns. The trend highlights how cybercriminals continuously refine their tactics, leveraging shared frameworks to maximize their impact.
Security teams are urged to monitor for suspicious driver activity and implement strict controls over kernel-mode code execution. Indicators of compromise linked to this latest tool have been published to assist defenders in identifying potential breaches before encryption occurs.
As ransomware groups grow more organized, the cybersecurity community must remain vigilant against these evolving threats. Proactive defense strategies, including behavioral detection and driver allowlisting, could prove critical in mitigating future attacks.
(Source: BLEEPING COMPUTER)
