Recent analyses have revealed that cybercriminals affiliated with the RansomHub ransomware group are sharing and repurposing a custom tool known as EDRKillShifter. This tool is designed to disable endpoint detection and response (EDR) software on compromised systems, facilitating the deployment of ransomware. Notably, EDRKillShifter has been observed in attacks associated with other ransomware groups, including Medusa, BianLian, and Play.
Understanding EDRKillShifter
EDRKillShifter employs a tactic called Bring Your Own Vulnerable Driver (BYOVD). This method involves introducing a legitimate but vulnerable driver into a system to disable security solutions protecting the endpoint. By exploiting these vulnerabilities, attackers can terminate EDR software, allowing ransomware to execute without detection.
The use of such tools underscores the evolving strategies of ransomware operators. Rather than frequently updating their ransomware encryptors—which carries the risk of introducing flaws—attackers focus on neutralizing security defenses just before deploying the ransomware. This approach ensures the smooth execution of their malicious payloads.
Cross-Group Utilization of EDRKillShifter
The deployment of EDRKillShifter by multiple ransomware groups highlights a concerning trend: the sharing and repurposing of sophisticated tools among cybercriminal organizations. This collaboration is particularly noteworthy given the operational models of the groups involved.
Both Play and BianLian operate under a closed Ransomware-as-a-Service (RaaS) model. In this model, the operators are selective about their affiliates, often forming long-term partnerships based on mutual trust. The fact that trusted members of these groups are collaborating with rivals like RansomHub—and repurposing tools like EDRKillShifter in their own attacks—suggests a shift in the dynamics of cybercriminal alliances.
ESET researchers have theorized that these collaborations may be the work of a single threat actor, dubbed QuadSwitcher. This actor is believed to have close ties to the Play ransomware group, given the similarities in tactics observed in Play-related intrusions.
Implications for Cybersecurity
The cross-group utilization of EDRKillShifter underscores the need for robust cybersecurity measures. The BYOVD technique, while not new, has seen a resurgence in ransomware attacks. For instance, the Embargo ransomware gang was discovered using a program called MS4Killer to neutralize security software. More recently, the Medusa ransomware group has been linked to a custom malicious driver codenamed ABYSSWORKER.
To mitigate the risks posed by such tools, organizations should implement the following measures:
1. Monitor for Unauthorized Privilege Escalation: Attackers require administrative privileges to deploy EDR killers. Detecting and mitigating unauthorized privilege escalation can prevent the deployment of such tools.
2. Enable Detection of Potentially Unsafe Applications: Ensuring that security solutions are configured to detect potentially unsafe applications can prevent the installation of vulnerable drivers.
3. Regularly Update and Patch Systems: Keeping systems updated with the latest patches can close vulnerabilities that attackers might exploit.
4. Conduct Regular Security Training: Educating employees about phishing attacks and other common vectors can reduce the risk of initial compromise.
The evolving tactics of ransomware groups, including the sharing and repurposing of tools like EDRKillShifter, highlight the importance of a proactive and comprehensive approach to cybersecurity.
