A new evolution of an EDR-killing tool, developed by RansomHub and used by multiple ransomware gangs, can disable security solutions on targeted systems. Sophos researchers noted that this tool uses obfuscated binaries and stolen digital certificates to load malicious drivers, allowing threat actors to bypass security measures like CrowdStrike and Microsoft Defender. #RansomHub #EDRKillShifter
Keypoints
- The new EDR killer tool is used by eight different ransomware gangs to disable security solutions.
- It employs heavily obfuscated code and self-decoding binaries to avoid detection.
- The malicious driver exploits stolen or expired certificates to gain kernel privileges.
- The tool targets multiple antivirus vendors, including Sophos, Microsoft Defender, and McAfee.
- Tool sharing among threat groups indicates collaborative development rather than a single leak.