Ransomware crews don’t care about your endpoint security – they’ve already killed it – Source: go.theregister.com

At least a dozen ransomware gangs have incorporated kernel-level EDR killers into their malware arsenal, allowing them to bypass almost every major endpoint security tool on the market, escalate privileges, and ultimately steal and encrypt data before extorting victims into paying a ransom.

One of the most recent examples includes the operators of Crypto24, a new-ish ransomware that has been deployed against nearly two dozen companies in the US, Europe, and Asia since April, according to the miscreants’ leak site.

The criminals target high-profile companies in financial services, manufacturing, entertainment, and technology, and after gaining initial access to victim organizations, one way they evade detection is by using a customized version of RealBlindingEDR, according to Trend Micro researchers.

RealBlindingEDR is an open-source tool designed to disable endpoint detection and response products, and Crypto24’s custom version is programmed to disable kernel-level hooks from a hardcoded list of 28 security vendors. These include Sophos, Trend Micro, Kaspersky, Malwarebytes, Bitdefender, Broadcom/Symantec, SentinelOne, Cisco, Fortinet, and Citrix.

The tool retrieves the security company’s name from driver metadata, compares it to the hardcoded list, and if there’s a match, it disables callbacks, rendering the EDR products useless.

Specific to Trend Micro, its researchers observed cases where the attackers deployed their customized version of RealBlindingEDR and abused gpscript.exe, which is a legitimate Group Policy utility, to remotely execute the Trend Vision One uninstaller, a legitimate troubleshooting tool.

But, they add, the ransomware crew was only able to abuse the uninstaller “after gaining elevated (administrator) privileges through prior compromise of affected systems. The tool itself requires administrative permissions to run and cannot be abused as an initial infection vector.”

RansomHub’s old EDR killer gets a makeover

In addition to Crypto24’s operators, at least eight other crews are disabling endpoint security defenses before deploying ransomware, according to Sophos. “We have observed the same sequence of events (EDR Killer -> ransomware) with the following ransomware families: Blacksuit, RansomHub, Medusa, Qilin, Dragonforce, Crytox, Lynx, INC,” Sophos researchers Gabor Szappanos and Steeve Gaudreault said in an August 6 report.

These gangs are using updated versions of EDRKillShifter, which was first seen deployed by RansomHub in August 2024. It exploits legitimate but vulnerable drivers on Windows machines to terminate EDR products, and was later repurposed by rival gangs like Medusa, BianLian, and Play.

Szappanos and Gaudreault don’t name the updated tool, and note “it’s not that a single binary of the EDR killer leaked out and was shared between threat actors. Instead, each attack used a different build of the proprietary tool.”

Plus, as Szappanos told The Register, “All of these EDR killers use a kernel-level driver.”

All of these EDR killers use a kernel-level driver

In one particular case, the Sophos analysts spotted RansomHub using an EDR killer that looks for a driver that has been signed with a compromised certificate and has a five-letter random name hardcoded into the executable.

If it finds the malicious driver, the malware initiates a “Bring Your Own Vulnerable Driver (BYOVD)” attack, in which the signed, vulnerable driver is loaded into the kernel and then exploited to gain kernel-level access. This access allows the miscreants to tamper with EDR functions. 

Specifically, Sophos found that RansomHub’s EDR‑killer tool, across different builds, targets products from multiple security vendors, including Sophos, Bitdefender, Cylance, ESET, F-Secure, Fortinet, McAfee, Microsoft, Symantec, and Trend Micro. The attackers can further abuse this kernel-level access to move laterally within the network, deploy ransomware, steal data, backdoor compromised systems, and perform other nefarious actions without being detected.

• Ransomware crews add ‘EDR killers’ to their arsenal – and some aren’t even malware
• RansomHub-linked EDR-killing malware spotted in the wild
• Psst: wanna buy a legit FBI email account for $40?
• Oh, great.Three notorious cybercrime gangs appear to be collaborating

“Most commentary so far has focused on endpoint defenses being bypassed by these new kernel-level EDR killers — but that’s only half the story,” Benson George, a senior principal product marketing manager at Aviatrix, told The Register. 

“Once ransomware operators are inside, the real danger now lies in how they can move laterally across today’s cloud-connected network fabric,” he said. “That means if attackers disable EDR on one endpoint, they can exploit the largely unmonitored communication paths between VPCs, Kubernetes clusters, and APIs.”

Stopping ransomware attacks, “the kind that disable EDR before doing anything else, means having controls that work even when endpoint telemetry is gone,” George added.

It’s also important to note that not all EDR killers are custom malware, and some ransomware operators use legitimate software tools to disable endpoint protections.

In an earlier interview, Kendall McKay, strategic lead at Cisco Talos, told The Register that Talos’ incident responders came across a commercial software tool called HRSword in a couple of different ransomware infections they were called in to investigate.

“Threat actors are co-opting it for their own purposes,” McKay said.

Like other legitimate tools repurposed by criminals (cough) Cobalt Strike (cough), HRSword has been co-opted for nefarious purposes, with ransomware crews abusing the software to disable endpoint protection systems. Plus, because it’s a legitimate product, it’s less likely to be detected and blocked by organizations’ security products. ®