#Ransomware crews add '#EDR killers' to their arsenal – and some aren't even malware
Criminalss are disabling #security tools early in attacks, Talos says
Ransomware crews are increasingly using programs like #EDRSilencer, #EDRSandblast, #EDRKillShifter, and Terminator to either modify or completely disable endpoint detection and response (EDR) products.
https://www.theregister.com/2025/03/31/ransomware_crews_edr_killers/

Shifting the sands of RansomHub’s EDRKillShifter
#EDRKillShifter #MedusaRansomware #PLAY #BianLian #RansomHub
https://www.welivesecurity.com/en/eset-research/shifting-sands-ransomhub-edrkillshifter/

#ESETresearch discovered previously unknown links between the #RansomHub, #Medusa, #BianLian, and #Play ransomware gangs, and leveraged #EDRKillShifter to learn more about RansomHub’s affiliates. @SCrow357 https://www.welivesecurity.com/en/eset-research/shifting-sands-ransomhub-edrkillshifter/
RansomHub emerged in February 2024 and in just three months reached the top of the ransomware ladder, recruiting affiliates from disrupted #LockBit and #BlackCat. Since then, it dominated the ransomware world, showing similar growth as LockBit once did.
Previously linked to North Korea-aligned group #Andariel, Play strictly denies operating as #RaaS. We found its members utilized RansomHub’s EDR killer EDRKillShifter, multiple times during their intrusions, meaning some members likely became RansomHub affiliates.
BianLian focuses on extortion-only attacks and does not publicly recruit new affiliates. Its access to EDRKillShifter suggests a similar approach as Play – having trusted members, who are not limited to working only with them.
Medusa, same as RansomHub, is a typical RaaS gang, actively recruiting new affiliates. Since it is common knowledge that affiliates of such RaaS groups often work for multiple operators, this connection is to be expected.
Our blogpost also emphasizes the growing threat of EDR killers. We observed an increase in the number of such tools, while the set of abused drivers remains quite small. Gangs such as RansomHub and #Embargo offer their killers as part of the affiliate program.
IoCs available on our GitHub: https://github.com/eset/malware-ioc/tree/master/ransomhub

Nouvelle technique de piratage qui utilise les outils d’accessibilité Windows pour échapper aux antivirus https://whiteandhack.wordpress.com/2024/12/13/nouvelle-technique-de-piratage-qui-utilise-les-outils-daccessibilite-windows-pour-echapper-aux-antivirus/ #Antivirus, #EDRKillShifter, #Malware, #Piratage, #Ransomware, #Technique, #Windows

RansomHub ransomware operators have been spotted deploying new #EDRKillShifter malware to disable endpoint detection and response (EDR) security software in Bring Your Own Vulnerable Driver (BYOVD) attacks - #ransomeware #cyberattacks https://www.bleepingcomputer.com/news/security/ransomware-gang-deploys-new-malware-to-kill-security-software/