π―Ransomware attackers are getting smarter by using tools that disable security software before they lock up your files. It's like a thief disabling your alarm system before breaking in. To stay safe, companies need to be extra vigilant and improve their defenses.
What Happened
Ransomware attacks have evolved, with attackers now routinely deploying EDR killers to disable endpoint detection and response (EDR) software. This tactic allows them to launch their encryptors with minimal resistance. According to ESET Research, nearly 90 different EDR killers are actively being used in the wild. The typical workflow for these attacks involves gaining high privileges, deploying an EDR killer, and then executing the encryptor. This method provides a brief window for attackers to encrypt files without needing to constantly modify their payloads to evade detection.
Recent reports indicate that the threat landscape has expanded beyond the well-known Bring Your Own Vulnerable Driver (BYOVD) technique. Attackers are now utilizing driverless methods, custom command-line scripts, and legitimate anti-rootkit utilities to disable security defenses. Notably, CybSafe has highlighted that the use of living-off-the-land (LotL) techniques is on the rise, where attackers leverage existing software and tools within the target environment to carry out their attacks. This diversification complicates the detection and mitigation efforts for cybersecurity teams.
Who's Being Targeted
In the world of ransomware-as-a-service, the division of labor is crucial. Operators provide the encryptor, while affiliates select the EDR killers. This approach leads to a greater diversity of EDR tools being used across different attacks. As a result, defenders face a wider array of EDR killers from a single ransomware brand, depending on which affiliate executed the attack. This complexity makes it more challenging for organizations to defend against such intrusions. Interestingly, affiliates, rather than the core ransomware-as-a-service operators, usually choose which EDR-killer to deploy in an attack, creating massive tooling diversity. Some attackers rely on basic command scripts or rebooting the system into Windows Safe Mode, while more sophisticated affiliates weaponize legitimate anti-rootkit programs, such as GMER and PC Hunter, to terminate active security processes. The Cybersecurity and Infrastructure Security Agency (CISA) has also reported an increase in the use of PowerShell scripts to execute these EDR killers, further complicating detection efforts.
Signs of Infection
The most common method employed by attackers is still the Bring Your Own Vulnerable Driver technique. However, a growing number of EDR killers can bypass this requirement entirely, using built-in administrative tools to disrupt EDR communication or suspend processes. Tools like EDRSilencer and EDR-Freeze do not require interaction with the system kernel at all. Instead, they block network communication between the endpoint and the security backend or force the EDR software to freeze in place, making them much harder for defenders to detect. Additionally, researchers have noted that the latest EDR killers can now exploit vulnerabilities in legitimate software to gain higher privileges, further enhancing their effectiveness.
How to Protect Yourself
To effectively defend against these evolving threats, organizations must implement proactive monitoring strategies. It's essential to focus on the stages of privilege escalation and driver installation, as these are critical points where EDR killers can be deployed. Blocking vulnerable drivers is a necessary step, but it is not sufficient on its own. Organizations need comprehensive controls to disrupt EDR killers before they can load, ensuring a more robust defense against ransomware intrusions.
As ransomware continues to adapt and evolve, defenders must prioritize resources and design detection strategies that account for the interactive and human-driven nature of these operations. The increasing commercialization of EDR killers, including their availability as a service on dark web forums, further underscores the need for organizations to shift focus from merely identifying specific vulnerabilities to detecting behavioral signs of security tampering. Furthermore, organizations should consider investing in advanced threat detection systems that leverage machine learning to identify unusual patterns of behavior indicative of EDR killer deployment.
The evolution of EDR killers signifies a shift in ransomware tactics, necessitating a proactive approach to cybersecurity. Organizations must stay ahead of these threats by continuously updating their defensive measures.
