August 15, 2024 at 07:33AM
A cybercrime group linked to RansomHub ransomware has been using a new tool, EDRKillShifter, to disable endpoint detection and response software on compromised hosts. This tool is a delivery mechanism for vulnerable drivers and can deliver different driver payloads. It’s important to keep systems updated and enable tamper protection in EDR software for mitigation.
Summary of Meeting Notes:
– A cybercrime group linked to the RansomHub ransomware has been observed using a new tool named EDRKillShifter to terminate endpoint detection and response software on compromised hosts.
– EDRKillShifter is a loader executable discovered by cybersecurity company Sophos, and can deliver a variety of different driver payloads based on the threat actor’s requirements.
– RansomHub, a suspected rebrand of the Knight ransomware, leverages known security flaws and drops legitimate remote desktop software for persistent access.
– Scattered Spider, an e-crime syndicate, has incorporated ransomware strains like RansomHub and Qilin into its arsenal.
– The attack can be mitigated by keeping systems up-to-date, enabling tamper protection in EDR software, and practicing strong hygiene for Windows security roles.
Let me know if you need anything else or any further details!