The Rising Threat of EDRKillShifter: How Ransomware Gangs Are Disabling Security Solutions

In the evolving world of cybersecurity threats, a concerning development has emerged with the rise of RansomHub and its custom-built EDR killer tool, EDRKillShifter. This powerful tool, designed to disable security solutions, has become increasingly popular among ransomware gangs, creating new challenges for organizations trying to protect their systems.

  What is EDRKillShifter?

EDRKillShifter is a specialized malware tool developed and maintained by the RansomHub ransomware-as-a-service (RaaS) gang. First introduced in May 2024, it’s designed specifically to terminate, blind, or crash security products installed on victims’ systems, typically by abusing vulnerable drivers.

The tool consists of two main parts:

1. A user mode component responsible for orchestration (the “killer code”)
2. A legitimate but vulnerable driver

The execution is straightforward — the killer code installs the vulnerable driver (typically embedded in its data or resources), iterates over a list of process names of security software, and issues a command to the vulnerable driver. This triggers the vulnerability and kills the security processes from kernel mode.

  Who is Using EDRKillShifter?

What makes EDRKillShifter particularly noteworthy is that it’s not being used exclusively by RansomHub affiliates. ESET researchers have documented a steep increase in its use across multiple ransomware operations.

ESET has uncovered links between RansomHub and three rival ransomware gangs that have been using EDRKillShifter:

• Play
• Medusa
• BianLian

Researchers identified an affiliate (dubbed “QuadSwitcher”) who appears to be working for all four ransomware groups simultaneously, using the same EDRKillShifter samples across different attacks. This suggests a concerning level of collaboration between what were previously thought to be rival groups.

(Schematic overview of the links between Medusa, RansomHub, BianLian, and Play – Source: ESET Research)

Additionally, less sophisticated ransomware actors have been observed using EDRKillShifter. For example, a threat actor called CosmicBeetle has used the tool in attacks leveraging both RansomHub and fake LockBit ransom notes.

  How to Identify EDRKillShifter

Some common indicators of EDRKillShifter include:

• Deployment filenames: Commonly appearing as Killer.exe, Magic.exe, or Loader.exe
• Password arguments: Named either “pass” or “key” that accept 64-character-long passwords
• Version information: VERSIONINFO resource with InternalName property of either Config.exe or Loader.exe
• OriginalName property in the version info resource always being Loader.exe

The tool typically relies on a password to protect the shellcode that acts as a middle layer during execution. Without this password, security researchers cannot retrieve the list of targeted processes or identify the specific vulnerable driver being abused.

  Remediations and Defense Strategies

Defending against EDR killers is challenging. Since threat actors need admin privileges to deploy an EDR killer, their presence should ideally be detected and mitigated before they reach that point in an attack.

While preventing the killer code from executing is the best approach, code obfuscation can make this unreliable. However, focusing on vulnerable drivers provides additional defense options:

1. Ensure detection of potentially unsafe applications is enabled, especially in corporate environments. This can prevent the installation of vulnerable drivers.
2. Implement proper patch management as an effective and essential defense strategy, as sophisticated attackers may exploit vulnerable drivers already present on compromised machines.

Additional defenses include detecting and mitigating attackers’ presence before they gain admin privileges and keeping security solutions updated to recognize and block known EDR killer signatures.

  The Bigger Picture: Ransomware in 2024-2025

According to ESET researchers, the ransomware environment has experienced significant shifts. While former top gangs LockBit and BlackCat have been disrupted, recorded ransomware payments dropped by 35%. However, the number of victims announced on dedicated leak sites increased by approximately 15%, with RansomHub contributing significantly to this increase.

RansomHub emerged in early 2024 around the time of law-enforcement Operation Cronos (which disrupted LockBit activities) and has quickly become a dominant force in the ransomware scene.

The increased use of EDR killers is viewed as a reaction to security solutions becoming more effective at detecting file-encrypting malware. While there are over 1,700 vulnerable drivers that EDR killer solutions could potentially exploit, only a handful are actually being abused, as there is tested code targeting them that allows threat actors to avoid writing new code from scratch.

  How CinchOps Can Help Secure Your Business

In light of these evolving threats, CinchOps offers comprehensive security solutions to protect your organization:

1. Advanced EDR Protection: Our EDR solutions are continuously updated to detect and counter the latest evasion techniques used by tools like EDRKillShifter.
2. Vulnerability Management: We implement rigorous patch management protocols to ensure vulnerable drivers cannot be exploited.
3. Privilege Management: We help establish strict access controls to prevent attackers from gaining the admin privileges needed to deploy EDR killers.
4. 24/7 Monitoring: Our security operations center provides round-the-clock monitoring to detect suspicious activities before they escalate to the deployment of EDR killer tools.
5. Incident Response: Should an attack occur, our rapid response team can contain and remediate threats quickly to minimize damage.

The emergence of tools like EDRKillShifter and the collaboration between ransomware gangs highlight the critical importance of staying ahead of evolving cyber threats. With CinchOps as your security partner, you can ensure your organization has the protection it needs in this increasingly dangerous digital environment.

Discover more about our enterprise-grade and business protecting cybersecurity services on our Cybersecurity page.

Contact CinchOps today to learn how we can help strengthen your security posture against these sophisticated threats.

FREE CYBERSECURITY ASSESSMENT