RansomHub Group Deploys New EDR-Killing Tool in Latest Cyber Attacks
A cybercrime group with links to the RansomHub ransomware has been observed using a new tool designed to terminate endpoint detection and response (EDR) software on compromised hosts, joining the likes of other similar programs like AuKill (aka AvNeutralizer) and Terminator.
The EDR-killing utility has been dubbed EDRKillShifter by cybersecurity company Sophos, which discovered the tool in connection with a failed ransomware attack in May 2024.
"The EDRKillShifter tool is a 'loader' executable – a delivery mechanism for a legitimate driver that is vulnerable to abuse (also known as a 'bring your own vulnerable driver,' or BYOVD, tool)," security researcher Andreas Klopsch said. "Depending on the threat actor's requirements, it can deliver a variety of different driver payloads."
RansomHub, a suspected rebrand of the Knight ransomware, surfaced in February 2024, leveraging known security flaws to obtain initial access and drop legitimate remote desktop software such as Atera and Splashtop for persistent access.
Last month, Microsoft revealed that the notorious e-crime syndicate known as Scattered Spider has incorporated ransomware strains such as RansomHub and Qilin into its arsenal.
Executed via command-line along with a password string input, the executable decrypts an embedded resource named BIN and executes it in memory. The BIN resource unpacks and runs a Go-based final, obfuscated payload, which then takes advantage of different vulnerable, legitimate drivers to gain elevated privileges and disarm EDR software.
"The binary's language property is Russian, indicating that the malware author compiled the executable on a computer with Russian localization settings," Klopsch said. "All of the unpacked EDR killers embed a vulnerable driver in the .data section."
To mitigate the threat, it's recommended to keep systems up-to-date, enable tamper protection in EDR software, and practice strong hygiene for Windows security roles.
"This attack is only possible if the attacker escalates privileges they control, or if they can obtain administrator rights," Klopsch said. "Separation between user and admin privileges can help prevent attackers from easily loading drivers."
Identity Threat Detection and Response Solution Guide
Critical RCE bug in SolarWinds Web Help Desk fixed (CVE-2024-28986)
CVE-2025-22224 VMware ESXi and Workstation TOCTOU Race Condition Vulnerability
CVE-2020-29574 CyberoamOS (CROS) SQL Injection Vulnerability
CVE-2022-43769 Hitachi Vantara Pentaho BA Server Special Element Injection Vulnerability
CVE-2022-43939 Hitachi Vantara Pentaho BA Server Authorization Bypass Vulnerability
CVE-2025-2783 Google Chromium Mojo Sandbox Escape Vulnerability
CVE-2018-19410 Paessler PRTG Network Monitor Local File Inclusion Vulnerability
CVE-2018-8639 Microsoft Windows Win32k Improper Resource Shutdown or Release Vulnerability
CVE-2024-40890 Zyxel DSL CPE OS Command Injection Vulnerability
CVE-2017-0148 Microsoft SMBv1 Server Remote Code Execution Vulnerability
InformationalInformation Disclosure - Suspicious Comments
InformationalRe-examine Cache-control Directives
Free online web security scanner
