News > Cyber-Attacks > Ransomware by Kevin Wood

RansomHub Deploys EDRKillShifter: A New Threat to Endpoint Security

EDR solutions looking for answers

In a disturbing development within the cybersecurity landscape, the RansomHub ransomware group has been observed deploying a new tool designed specifically to disable Endpoint Detection and Response (EDR) solutions. The tool, dubbed EDRKillShifter by security researchers, represents a significant escalation in the capabilities of ransomware groups, enabling them to bypass some of the most advanced security defenses that organizations rely on.

The Mechanics of EDRKillShifter

EDRKillShifter operates by leveraging a “Bring Your Own Vulnerable Driver” (BYOVD) attack method. This technique involves using a legitimate but vulnerable driver to escalate privileges on the targeted system, effectively neutralizing EDR software. Once the EDR is disabled, the attackers gain free rein over the compromised system, significantly increasing the likelihood of a successful ransomware attack.

The tool was first discovered by Sophos during an investigation in May 2024, where it was used in an attempted attack. Although the attack failed due to the resilience of the EDR software in question, the discovery of EDRKillShifter raised alarms throughout the cybersecurity community. The tool’s ability to exploit known vulnerabilities in legitimate drivers is particularly concerning, as it allows attackers to disable security measures without triggering immediate detection​.

The Broader Implications

The deployment of EDRKillShifter by RansomHub, a group linked to previous high-profile attacks on organizations like Change Healthcare and Christie’s auction house, highlights the evolving sophistication of ransomware groups. The ability to disable EDR software not only facilitates the deployment of ransomware but also complicates incident response efforts, as it leaves organizations with fewer options to detect and mitigate ongoing attacks.

Security experts are particularly concerned about the implications of this tool being sold or shared among other cybercriminal groups. The ease with which the tool can be adapted to different environments means that it could become a standard part of the ransomware toolkit, leading to an increase in successful attacks against well-defended targets​.

What Can Be Done?

To mitigate the threat posed by tools like EDRKillShifter, organizations are advised to adopt a multi-layered security approach. This includes enabling tamper protection on EDR software, maintaining strict controls on driver installation, and ensuring that systems are regularly updated to remove or patch vulnerable drivers. Additionally, separating user and administrative privileges can prevent attackers from easily gaining the access needed to deploy such tools​.

As ransomware groups continue to refine their methods, the importance of robust and adaptive cybersecurity measures cannot be overstated. Organizations must remain vigilant and proactive in their defense strategies, as the threat landscape becomes increasingly complex.

For more information on how to protect your organization from such advanced threats, or to schedule a demo of our cybersecurity solutions, please contact us at cybersecurity@bbg-mn.com.