A dangerous evolution in ransomware tactics has emerged: a new Endpoint Detection and Response (EDR) killer tool capable of disabling leading security products across compromised systems. First linked to the RansomHub group and considered the successor to EDRKillShifter, this tool has already been deployed in attacks by eight ransomware gangs. Its purpose is simple but devastating: clear the path for payload deployment, privilege escalation, lateral movement, and file encryption without detection.
Who Is Using the Tool
Security researchers at Sophos have confirmed that RansomHub, Blacksuit, Medusa, Qilin, Dragonforce, Crytox, Lynx, and INC have all used this EDR killer in attacks. The scale of adoption indicates that this is not an isolated tool but one developed within a collaborative ransomware ecosystem, with shared technical resources and frameworks.
How the EDR Killer Works
The new tool is heavily obfuscated, self-decoding at runtime, and injected into legitimate applications. It searches for a digitally signed driver, stolen or with an expired certificate, using a random five-character name hardcoded into the executable. Once found, the driver is loaded into the kernel, enabling a “bring your own vulnerable driver” (BYOVD) attack. This provides kernel-level privileges needed to disable security software.
Masquerading as legitimate drivers like the CrowdStrike Falcon Sensor Driver, the malicious driver terminates processes and stops services tied to antivirus and EDR tools. Vendors targeted include Sophos, Microsoft Defender, Kaspersky, Symantec, Trend Micro, SentinelOne, Cylance, McAfee, F-Secure, HitmanPro, and Webroot.
Variants and Shared Development
While different ransomware groups use slightly different builds, varying driver names, targeted vendors, and build characteristics, they share core traits. All variants use HeartCrypt for packing. The level of similarity between builds suggests coordinated development rather than leaks of a single binary. Sophos emphasizes that each attack uses a unique compiled version of the proprietary tool, reinforcing the idea of shared codebases and mutual technical support among threat actors.
Tool Sharing in the Ransomware Landscape
Sharing and selling EDR killers is not new in the cybercrime ecosystem. Beyond EDRKillShifter, Sophos has identified AuKill, used by Medusa Locker and LockBit, while SentinelOne reported FIN7 selling its AvNeutralizer to multiple ransomware gangs, including BlackBasta, AvosLocker, MedusaLocker, BlackCat, Trigona, and LockBit. These tools are central to modern ransomware operations, enabling attacks to bypass even advanced endpoint defenses.
Why This Matters for Cybersecurity
The existence and rapid adoption of this new EDR killer show how quickly ransomware actors adapt and evolve to counter defensive technologies. For organizations, relying solely on endpoint protection is no longer enough. A multi-layered cybersecurity strategy is essential, combining advanced endpoint security, network monitoring, threat intelligence, and incident response readiness.
Read the full article of BleepingComputer here.
