Ransomware attackers introduce new EDR killer to their arsenal

Aug. 16, 2024, 3:50 p.m.

Description

An analysis by security researchers has uncovered the existence of a new tool called EDRKillShifter, which is used by threat actors to disable endpoint protection software during ransomware attacks. The tool is designed to terminate antivirus and endpoint detection and response (EDR) solutions on targeted systems, paving the way for the deployment of ransomware payloads. EDRKillShifter works as a loader, delivering various malicious drivers that exploit vulnerabilities to gain elevated privileges and unhook security protections.

External References

https://news.sophos.com/en-us/2024/08/14/edr-kill-shifter/
https://otx.alienvault.com/pulse/66bf690d15fc943f49031aaf
Tags
ransomware
ransomhub
privilege escalation
2024-08-16
edr evasion
driver exploitation
edrkillshifter

Date

  • Created: Aug. 16, 2024, 2:58 p.m.
  • Published: Aug. 16, 2024, 2:58 p.m.
  • Modified: Aug. 16, 2024, 3:50 p.m.

Indicators

  • 451f5aa55eb207e73c5ca53d249b95911d3fad6fe32eee78c58947761336cc60
  • d0f9eae1776a98c77a6c6d66a3fd32cee7ee6148a7276bc899c1a1376865d9b0
Download all indicators here!

Attack Patterns

  • EDRKillShifter
  • RansomHub