Threat actors in RansomHub seen using tools to disable EDR protection

Recently, Sophos conducted threat research that uncovered an encounter with the ransomware group known as RansomHub. Although the attack was unsuccessful, the researchers were able to analyze the attack and found the use of a tool called EDRKillShifter.

John Bambenek, President at Bambenek Consulting, mentioned, “At present, only RansomHub is using the tool. However, as it was sold on the dark web, it is more than likely that other groups could purchase it as well. Threat actors trying to kill EDR agents on systems before going further in their chain of attacks is not news, however, security teams should keep tight controls on drivers being installed to avoid this tool.”

Functionality of the EDR-killing tool

The EDRKillShifter is described as a “bring your own vulnerable driver” (BYOVD) tool that requires three steps to execute.

1. The EDRKillShifter must be executed with a command line including a password string; with the correct password, an embedded resource named BIN is decrypted and executed.
2. The final payload is unpacked and executed by the BIN code.
3. The final payload drops and leverages one vulnerable, legitimate driver from a range of drivers in order to gain privileges to disarm an EDR tool’s protection.

Bambenek explained, “BYOVD is a technique where an attacker loads a legitimate driver that has vulnerabilities so they can overwrite the code near the kernel to execute privileged functions. The danger here is that the kernel driver isn’t malicious, so detection is more difficult. Once a driver is loaded, you have much deeper access to the system and are able to have a wider range of privileges to manipulate a system.”

Measures for security leaders to protect their organizations

Security leaders are advised to monitor endpoint security, promote strong organizational cyber hygiene and ensure systems are updated regularly. Craig Jones, Vice President of Security Operations at Ontinue, stated, “The situation with the EDRKillShifter tool is indeed concerning. From what we can gather, the cybercriminal group behind this operation remains unidentified, but their use of the RansomHub ransomware suggests they’re experienced and determined. The fact that they’re employing this new tool, designed specifically to disable endpoint detection and response (EDR) software, is a clear indicator of their sophistication.

“Once EDR is out of the picture, these attackers can operate on compromised systems with much less risk of being detected, giving them a wider window to deploy ransomware or other malicious payloads. Security teams need to ensure that all drivers on their network are up-to-date and regularly audited for known vulnerabilities. Implementing strict allowlisting policies for drivers can help prevent unauthorized or vulnerable drivers from being used, but this process is time-consuming and complex. Security is always evolving, and this latest tool is a reminder that attackers are constantly looking for ways to outmaneuver even the most advanced defenses.”