Cybercriminals disregard your endpoint security measures, having effectively neutralized them through their ransomware attacks
In the ever-evolving world of cybersecurity, ransomware gangs continue to adapt their tactics to bypass endpoint security defenses. According to recent reports, these criminal groups are now employing custom or evolved Endpoint Detection and Response (EDR) killer tools to disable security defenses silently, enabling successful ransomware execution on targeted systems.
Benson George, a senior principal product marketing manager at Aviatrix, emphasized the importance of having controls that work even when endpoint telemetry is gone, as stopping ransomware attacks requires such measures.
Trend Micro researchers have observed cases where the attackers used Crypto24's customized RealBlindingEDR and abused gpscript.exe to remotely execute the Trend Vision One uninstaller. Crypto24, a new ransomware, has been deployed against nearly two dozen companies since April.
The EDR killers bypass endpoint security tools through several sophisticated means. They inject their obfuscated binary into legitimate applications and leverage DLL side-loading techniques to hide their presence and avoid triggering defenses. By executing vulnerable signed drivers with randomized names, attackers perform Bring Your Own Vulnerable Driver (BYOVD) attacks to gain kernel-level privileges, allowing them to disable security tools at a low system level without raising alarms.
The framework appears to be a collaborative effort among different ransomware gangs, with multiple distinct builds implying shared development for more effective evasion and harder detection. Some EDR killers are not custom malware but legitimate software tools repurposed by ransomware operators to disable endpoint protections, such as HRSword.
RansomHub's EDR-killing malware targets products from multiple security vendors, including Sophos, Bitdefender, Cylance, ESET, F-Secure, Fortinet, McAfee, Microsoft, Symantec, and Trend Micro. All of these EDR killers use a kernel-level driver.
The real danger in ransomware attacks lies in how attackers can move laterally across cloud-connected network fabrics, even when endpoint telemetry is gone. Ransomware operators can abuse kernel-level access gained through EDR killers to move laterally within a network, deploy ransomware, steal data, backdoor compromised systems, and perform other nefarious actions without being detected.
Kendall McKay, strategic lead at Cisco Talos, mentioned that Talos' incident responders found HRSword in a couple of ransomware infections they were investigating. At least a dozen ransomware gangs have incorporated kernel-level EDR killers into their malware arsenal, using updated versions of EDRKillShifter, first seen deployed by RansomHub in August 2024.
RealBlindingEDR, an open-source tool designed to disable endpoint detection and response products, is also being used by some ransomware groups. Crypto24 uses a customized version of RealBlindingEDR to disable endpoint detection and response products, while others have co-opted HRSword for the same purpose.
In conclusion, ransomware gangs are using custom or evolved EDR killer tools employing BYOVD attacks with digitally signed drivers, process injection, and obfuscation to bypass endpoint security and disable defenses silently, enabling successful ransomware execution on targeted systems. The real danger in these attacks lies in the ability of attackers to move laterally across cloud-connected network fabrics, even when endpoint telemetry is gone.
- Benson George underscores the necessity of controls that function effectively even when endpoint telemetry is paused, as they are crucial in thwarting ransomware attacks.
- Trend Micro researchers have uncovered cases where attackers used Crypto24's customized RealBlindingEDR and manipulated gpscript.exe to execute the Trend Vision One uninstaller remotely.
- Some EDR killers are not custom malware but legitimate software tools repurposed by ransomware operators to neutralize endpoint protections, such as HRSword.
- Ransomware operators can exploit kernel-level access gained through EDR killers to traverse cloud-connected network fabrics surreptitiously, deploying ransomware, stealing data, and performing other malicious activities without getting detected.
