CP
cyberpings
Malware & RansomwareHIGH

Malware - EDR Killers Become Standard in Ransomware Attacks

HNHelp Net SecurityΒ·Reporting by Anamarija Pogorelec
πŸ“° 4 sourcesΒ·Summary by CyberPings EditorialΒ·AI-assistedΒ·Reviewed by Rohit Rana
Updated:
🎯

Basically, ransomware hackers use special tools to turn off security software before locking files.

Quick Summary

Ransomware attackers are now using EDR killers to disable security software before encrypting files. This trend affects many organizations and highlights the need for improved defenses. As ransomware tactics evolve, proactive monitoring and robust controls are essential to protect against these threats.

What Happened

Ransomware attacks have evolved, with attackers now routinely deploying EDR killers to disable endpoint detection and response (EDR) software. This tactic allows them to launch their encryptors with minimal resistance. According to ESET Research, nearly 90 different EDR killers are actively being used in the wild. The typical workflow for these attacks involves gaining high privileges, deploying an EDR killer, and then executing the encryptor. This method provides a brief window for attackers to encrypt files without needing to constantly modify their payloads to evade detection.

Who's Being Targeted

In the world of ransomware-as-a-service, the division of labor is crucial. Operators provide the encryptor, while affiliates select the EDR killers. This approach leads to a greater diversity of EDR tools being used across different attacks. As a result, defenders face a wider array of EDR killers from a single ransomware brand, depending on which affiliate executed the attack. This complexity makes it more challenging for organizations to defend against such intrusions.

Signs of Infection

The most common method employed by attackers is the Bring Your Own Vulnerable Driver technique. This involves dropping a legitimate but vulnerable driver onto a victim's machine, which is then exploited to gain kernel-level access. However, a growing number of EDR killers can bypass this requirement entirely, using built-in administrative tools to disrupt EDR communication or suspend processes. Some of these tools even exhibit signs of AI-assisted development, complicating the threat landscape further.

How to Protect Yourself

To effectively defend against these evolving threats, organizations must implement proactive monitoring strategies. It's essential to focus on the stages of privilege escalation and driver installation, as these are critical points where EDR killers can be deployed. Blocking vulnerable drivers is a necessary step, but it is not sufficient on its own. Organizations need comprehensive controls to disrupt EDR killers before they can load, ensuring a more robust defense against ransomware intrusions.

As ransomware continues to adapt and evolve, defenders must prioritize resources and design detection strategies that account for the interactive and human-driven nature of these operations.

πŸ”’ Pro insight: The rise of EDR killers necessitates a shift in defensive strategies, focusing on early detection of privilege escalation and driver installations.

Original article from

HNHelp Net SecurityΒ· Anamarija Pogorelec
Read Full Article

Also covered by

CYCyber Security News

Ransomware Actors Expand EDR Killer Tactics Beyond Vulnerable Drivers

Read Article
WEWeLiveSecurity (ESET)

EDR killers explained: Beyond the drivers

Read Article
THThe Hacker News

54 EDR Killers Use BYOVD to Exploit 34 Signed Vulnerable Drivers and Disable Security

Read Article
MIMicrosoft Security Blog

Case study: How predictive shielding in Defender stopped GPO-based ransomware before it started

Read Article

Share

Related Pings

HIGHMalware & Ransomware

Malware Newsletter Round 91 - Latest Threats and Insights

The latest malware newsletter reveals new threats like Infiniti Stealer and npm supply chain attacks. Developers and organizations must stay alert to evolving risks in cybersecurity.

Security AffairsΒ·
HIGHMalware & Ransomware

Malicious Email Delivers CMD Malware - Privilege Escalation Alert

A malicious email has delivered a .cmd malware file that escalates privileges and bypasses antivirus systems. Users are at risk of significant system compromise. Awareness and immediate action are vital to mitigate this threat.

Security AffairsΒ·
HIGHMalware & Ransomware

Axios NPM Package Compromised - Supply Chain Attack Exposed

A major supply chain attack compromised the Axios NPM package, affecting millions of users. Malicious versions deployed a RAT, posing serious security risks. Swift action was taken to remove the threats.

Trend Micro ResearchΒ·
HIGHMalware & Ransomware

Brokk Hacked - Play Ransomware Exposes Sensitive Data

Brokk has reportedly been hacked by Play ransomware, leading to the leak of sensitive corporate data. This incident could severely impact the company's reputation and security. Organizations must bolster their defenses to prevent similar breaches.

SC MediaΒ·
HIGHMalware & Ransomware

Chaos Malware - New Targeting of 64-bit Linux Servers

Chaos malware has evolved to target 64-bit Linux servers, expanding its attack surface. This shift raises alarms for organizations relying on these systems. Enhanced security measures are now crucial to protect against potential larger-scale attacks.

SC MediaΒ·
HIGHMalware & Ransomware

Phorpiex Botnet - Spreading Ransomware and Sextortion Tactics

The notorious Phorpiex botnet is back, spreading ransomware and sextortion schemes. Millions are at risk as it targets users globally. Stay alert and protect your devices from this evolving threat.

Cyber Security NewsΒ·