RansomHub ransomware gang uses new malware, EDRKillShifter, to disable Endpoint Detection and Response (EDR) software in BYOVD attacks.
EDRKillShifter deploys a vulnerable driver to escalate privileges, disable security solutions, and take system control.
The technique is popular among ransomware gangs and state-backed hacking groups.
In a May 2024 incident, attackers failed to terminate Sophos protection and trigger ransomware execution due to CryptoGuard.
Sophos researchers found two malware samples exploiting drivers RentDrv2 and ThreatFireMonitor using GitHub proof-of-concept exploits.
EDRKillShifter can deliver different driver payloads based on the attacker's needs and was compiled with Russian localization.
The malware uses a three-step process to decrypt, execute, and exploit a legitimate driver to disable active EDR processes.
It runs in an endless loop, continuously terminating targeted processes from a hardcoded list.
Both malware variants leverage vulnerable drivers modified from public proof-of-concept exploits, written in Go.
Sophos advises enabling tamper protection, separating user/admin privileges, and keeping systems updated to avoid driver misuse.
Similar EDR-killing malware, AuKill, was spotted last year, used by Medusa Locker and LockBit ransomware gangs.