RansomHub ransomware gang uses new malware, EDRKillShifter, to disable Endpoint Detection and Response (EDR) software in BYOVD attacks.

EDRKillShifter deploys a vulnerable driver to escalate privileges, disable security solutions, and take system control.

The technique is popular among ransomware gangs and state-backed hacking groups.

In a May 2024 incident, attackers failed to terminate Sophos protection and trigger ransomware execution due to CryptoGuard.

Sophos researchers found two malware samples exploiting drivers RentDrv2 and ThreatFireMonitor using GitHub proof-of-concept exploits.

EDRKillShifter can deliver different driver payloads based on the attacker's needs and was compiled with Russian localization.

The malware uses a three-step process to decrypt, execute, and exploit a legitimate driver to disable active EDR processes.

It runs in an endless loop, continuously terminating targeted processes from a hardcoded list.

Both malware variants leverage vulnerable drivers modified from public proof-of-concept exploits, written in Go.

Sophos advises enabling tamper protection, separating user/admin privileges, and keeping systems updated to avoid driver misuse.

Similar EDR-killing malware, AuKill, was spotted last year, used by Medusa Locker and LockBit ransomware gangs.