New EDR killer tool used by eight different ransomware groups

Off IT Securty Articles,

What’s new: A new EDR killer tool, an evolution of ‘EDRKillShifter,’ has been identified in attacks by eight ransomware groups, including RansomHub and Blacksuit. This tool disables security products on compromised systems, facilitating ransomware deployment and lateral movement. It employs a heavily obfuscated binary that injects itself into legitimate applications and uses a malicious driver to gain kernel privileges, targeting various security vendors such as Sophos, Microsoft Defender, and Kaspersky.

Who’s affected

Organizations using endpoint detection and response solutions from vendors like Sophos, Microsoft Defender, Kaspersky, Symantec, Trend Micro, SentinelOne, and others are at risk from this new EDR killer tool.

What to do

  • Review and update security measures to ensure they can detect and respond to kernel-level threats.
  • Monitor for unusual activity related to security processes and services.
  • Consider implementing additional layers of security to protect against EDR killers.

Sources

Tags: ,

Related posts

About The Author