Since 2022, ransomware groups and underground marketplaces have increasingly utilized sophisticated EDR killer tools, such as those packed with HeartCrypt, to disable endpoint security during multi-stage attacks. Evidence suggests significant tool sharing and technical knowledge transfer among competing ransomware groups, complicating defense efforts. #EDRKillShifter #HeartCrypt #RansomHub #MedusaLocker #INC
Keypoints
- Malicious EDR killer tools, including AVKiller, have been developed and used by ransomware groups like RansomHub, with multiple versions targeting various security vendors.
- These tools often use heavily protected executables that load compromised driver files signed with revoked or abused certificates to disable endpoint security products.
- HeartCrypt packer-as-a-service is widely used to obfuscate these tools, making detection and mitigation more challenging.
- Several ransomware families, such as Blacksuit, RansomHug, Medusa, Qilin, Dragonforce, Crytox, Lynx, and INC, have been observed utilizing the EDR killer in their attack chains.
- Specific cases, like MedusaLocker, show exploitation of zero-day vulnerabilities (e.g., in SimpleHelp) to deliver the EDR killer followed by ransomware deployment.
- There is strong evidence of tool sharing and technical knowledge transfer between competing ransomware groups, each using different builds of EDR killers but consistently employing HeartCrypt packing.
- This ecosystem complexity increases the difficulty for defenders to detect and prevent ransomware attacks effectively.
MITRE Techniques
- [T1059] Command and Scripting Interpreter – The malware executes commands through cmd.exe, as evidenced by “cmd.exe /c start c:temp6Vwq.exe” in the MedusaLocker case.
- [T1218] Signed Binary Proxy Execution – The EDR killer loads drivers signed with compromised certificates to bypass security controls (“driver is signed with a compromised certificate”).
- [T1105] Ingress Tool Transfer – Use of HeartCrypt packer-as-a-service suggests transferring and obfuscating malicious payloads (“heavily protected executable… packed with HeartCrypt”).
- [T1057] Process Discovery – The tool enumerates and terminates specific security-related processes like MsMpEng.exe and SophosHealth.exe to evade detection.
- [T1574] Hijack Execution Flow – Injecting loader code near the entry point of legitimate utilities to execute malicious payloads (“loader code was injected near the entry point”).
Indicators of Compromise
- [File Hash] HeartCrypt-packed EDR killer example – vp4n.exe (SHA-256: c793304fabb09bb631610f17097b2420ee0209bab87bb2e6811d24b252a1b05d), 6Vwq.exe (SHA-256: 43cd3f8675e25816619f77b047ea5205b6491137c5b77cce058533a07bdc9f98)
- [Driver File] Malicious driver files – mraml.sys (SHA-1: 21a9ca6028992828c9c360d752cb033603a2fd93), noedt.sys (SHA-256: 6fc26e8ac9c44a8e461a18b20929f345f8cfc86e9a454eae3509084cf6ece3be)
- [Ransomware File] Ransomware payloads – MilanoSoftware.exe (SHA-256: 3a6d5694eec724726efa3327a50fad3efdc623c08d647b51e51cd578bddda3da)
- [File Name] Targeted EDR killer executable – uA8s.exe
- [Ransom Note] Examples include README_0416f0.txt and README.txt used in ransomware incidents.
Read more: https://news.sophos.com/en-us/2025/08/06/shared-secret-edr-killer-in-the-kill-chain/