RansomHub, a known ransomware operator, has recently escalated its methods by deploying a sophisticated malware aimed at disabling Endpoint Detection and Response (EDR) security solutions. This new threat, identified by Sophos security researchers and named EDRKillShifter, leverages the Bring Your Own Vulnerable Driver (BYOVD) technique to exploit legitimate but vulnerable drivers, thereby compromising the security of targeted systems.
The Rise of EDRKillShifter
EDRKillShifter first came to light during a ransomware investigation in May 2024. The malware operates by deploying a legitimate but outdated driver on compromised devices, allowing attackers to gain elevated privileges, deactivate security defences, and ultimately seize control of the system. This technique is not isolated to RansomHub alone; it has become increasingly popular among a wide range of threat actors, from financially motivated ransomware groups to nation-state hackers.
Sophos researchers, who identified EDRKillShifter during their investigation, have noted its deployment in attempts to terminate Sophos' own protection mechanisms. However, these attempts were unsuccessful due to the activation of Sophos’ CryptoGuard feature, which thwarted the execution of the ransomware payload.
Technical Details and Discovery
Further analysis by Sophos revealed two distinct samples of EDRKillShifter, each leveraging different vulnerable drivers. One sample exploits a driver known as RentDrv2, while the other targets a driver called ThreatFireMonitor, part of an outdated system-monitoring package. Both of these exploits are based on proof-of-concept code available on GitHub, indicating that the malware's authors have adapted and enhanced these publicly available resources for their malicious purposes.
EDRKillShifter is capable of delivering various driver payloads depending on the attackers’ objectives. Notably, the malware’s language settings suggest that it was compiled on a machine using Russian localisation, hinting at the possible origin of its developers.
The malware’s execution process is methodical, involving several stages. Initially, the attacker runs the EDRKillShifter binary with a specific password, which decrypts and executes an embedded resource named BIN directly in memory. This code then unpacks and deploys the final payload, which introduces and exploits a vulnerable, legitimate driver to escalate privileges and neutralise active EDR processes.
Continuous Threat to Security Systems
Once the malicious driver is loaded, EDRKillShifter enters a relentless cycle, systematically scanning and terminating processes associated with security solutions that appear in a hardcoded target list. Sophos researcher Andreas Klopsch highlighted that the malware relies on exploiting legitimate drivers, further complicating detection and mitigation efforts.
The development of EDRKillShifter mirrors previous threats, such as AuKill, another EDR-disabling malware discovered last year. AuKill was used in ransomware attacks by groups like Medusa Locker and LockBit and similarly exploited a vulnerable Process Explorer driver. These tactics reflect an evolving trend where cybercriminals adapt and repurpose existing tools to bypass modern security measures.
Defensive Measures and Recommendations
In response to this emerging threat, Sophos advises organisations to implement several key defensive strategies:
• Enable Tamper Protection: Ensuring that endpoint security products are protected from unauthorised changes is critical in preventing malware like EDRKillShifter from disabling these defences.
• Maintain Separation of Privileges: Reducing the overlap between user and administrator privileges can significantly limit an attacker’s ability to load vulnerable drivers.
• Keep Systems Updated: Regularly updating systems and software ensures that vulnerable drivers are de-certified by Microsoft, reducing the risk of exploitation.
As cyber threats continue to evolve, staying vigilant and proactive is essential in safeguarding against sophisticated attacks like those facilitated by EDRKillShifter. By adhering to best practices and maintaining robust security protocols, organisations can better protect themselves from these increasingly complex forms of ransomware.
