A cybercrime group behind the RansomHub ransomware has been observed using a new tool designed to disable endpoint detection and response (EDR) software on compromised systems. The tool, named ‘EDRKillShifter’ by cybersecurity firm Sophos, is the latest in a series of similar utilities, such as AuKill (aka AvNeutralizer) and Terminator, which have been employed by threat actors to neutralize security defenses.

Sophos uncovered EDRKillShifter in May 2024, following a failed ransomware attack.

The tool functions as a loader executable, a delivery mechanism that leverages a legitimate but vulnerable driver, a method known as ‘bring your own vulnerable driver’ (BYOVD). This technique allows the attackers to exploit legitimate drivers to disable EDR software, effectively bypassing security measures on the targeted systems.

Depending on the threat actor's requirements, it can deliver a variety of different driver payloads, the researchers explained.

RansomHub first emerged in February 2024, it is suspected to be a rebrand of the Knight ransomware. The ransomware group is known for exploiting security vulnerabilities to gain initial access to networks and deploying legitimate remote desktop software, such as Atera and Splashtop, to maintain persistent access.

Once executed, the tool decrypts an embedded resource named BIN and runs it in memory. This resource then unpacks and launches a final, obfuscated payload written in Go, which uses different vulnerable drivers to gain elevated privileges and disable EDR software.

The researchers noted that the binary's language settings indicate that it was compiled on a computer with Russian localization, suggesting a possible origin of the malware. “All of the unpacked EDR killers embed a vulnerable driver in the .data section,” they added.

“The samples we analyzed executed different EDR killer variants in memory, all written in Go and obfuscated, possibly using an open-source tool named gobfuscate,” the report said.

Obfuscators, while sometimes used legitimately to protect intellectual property, are often employed by cybercriminals to hinder the reverse engineering of the malware, making it more challenging for security researchers to analyze and defend against these threats.

To defend against such threats organizations are recommended to enable tamper protection on their endpoint security product to safeguard against certain types of attacks. Additionally, maintaining strong Windows security practices, such as separating user and admin privileges, can prevent attackers from escalating privileges and loading drivers. Finally, keeping your system updated is essential for protection.