Ransomware attackers introduce new EDR killer to their arsenal

216.73.216.6

Ransomware attackers introduce new EDR killer to their arsenal

· Published 16/08/2024 14:58 · Modified 16/08/2024 15:50

Essential information

Published: 16/08/2024 14:58
Modified: 16/08/2024 15:50
Tags: 2024-08-16 driver exploitation edr evasion edrkillshifter privilege-escalation ransomhub ransomware
Related entities: 2 observables, 8 techniques (mitre), 2 malware

Description

An analysis by security researchers has uncovered the existence of a new tool called EDRKillShifter, which is used by threat actors to disable endpoint protection software during ransomware attacks. The tool is designed to terminate antivirus and endpoint detection and response (EDR) solutions on targeted systems, paving the way for the deployment of ransomware payloads. EDRKillShifter works as a loader, delivering various malicious drivers that exploit vulnerabilities to gain elevated privileges and unhook security protections.

External references

https://news.sophos.com/en-us/2024/08/14/edr-kill-shifter/
https://otx.alienvault.com/pulse/66bf690d15fc943f49031aaf