August 15, 2024 at 02:03PM
RansomHub ransomware operators have deployed a new malware, EDRKillShifter, to disable EDR security software in BYOVD attacks. Discovered by Sophos researchers, the malware exploits vulnerable drivers to escalate privileges and disable security solutions. Sophos recommends enabling tamper protection and maintaining a separation between user and admin privileges to mitigate such attacks.
From the meeting notes, the key takeaways are as follows:
1. Ransomware operators are deploying a new malware, EDRKillShifter, to disable Endpoint Detection and Response (EDR) security software in Bring Your Own Vulnerable Driver (BYOVD) attacks.
2. EDRKillShifter deploys a legitimate, vulnerable driver on targeted devices to escalate privileges, disable security solutions, and take control of the system. Sophos security researchers discovered this during a May 2024 ransomware investigation.
3. This technique is being used by various threat actors, from financially motivated ransomware gangs to state-backed hacking groups.
4. Sophos recommends enabling tamper protection in endpoint security products, maintaining a separation between user and admin privileges, and keeping systems updated.
5. Notably, last year Sophos also spotted another EDR-killing malware called AuKill, which abused a vulnerable Process Explorer driver in Medusa Locker and LockBit ransomware attacks.
These takeaways highlight the severity of the EDRKillShifter malware and the importance of implementing security measures recommended by Sophos to prevent such attacks.