Security News > 2024 > August > RansomHub Group Deploys New EDR-Killing Tool in Latest Cyber Attacks

RansomHub Group Deploys New EDR-Killing Tool in Latest Cyber Attacks
2024-08-15 10:45

A cybercrime group with links to the RansomHub ransomware has been observed using a new tool designed to terminate endpoint detection and response software on compromised hosts, joining the likes of other similar programs like AuKill and Terminator.

The EDR-killing utility has been dubbed EDRKillShifter by cybersecurity company Sophos, which discovered the tool in connection with a failed ransomware attack in May 2024.

"The EDRKillShifter tool is a 'loader' executable - a delivery mechanism for a legitimate driver that is vulnerable to abuse," security researcher Andreas Klopsch said.

The BIN resource unpacks and runs a Go-based final, obfuscated payload, which then takes advantage of different vulnerable, legitimate drivers to gain elevated privileges and disarm EDR software.

"All of the unpacked EDR killers embed a vulnerable driver in the.data section."

To mitigate the threat, it's recommended to keep systems up-to-date, enable tamper protection in EDR software, and practice strong hygiene for Windows security roles.


News URL

https://thehackernews.com/2024/08/ransomhub-group-deploys-new-edr-killing.html