CP
cyberpings
Malware & RansomwareHIGH

Malware - EDR Killers Become Standard in Ransomware Attacks

HNHelp Net Security
EDR killersransomwareESET ResearchWarlock ransomware gangBring Your Own Vulnerable Driver
🎯

Basically, ransomware hackers use special tools to turn off security software before locking files.

Quick Summary

Ransomware attackers are now using EDR killers to disable security software before encrypting files. This trend affects many organizations and highlights the need for improved defenses. As ransomware tactics evolve, proactive monitoring and robust controls are essential to protect against these threats.

What Happened

Ransomware attacks have evolved, with attackers now routinely deploying EDR killers to disable endpoint detection and response (EDR) software. This tactic allows them to launch their encryptors with minimal resistance. According to ESET Research, nearly 90 different EDR killers are actively being used in the wild. The typical workflow for these attacks involves gaining high privileges, deploying an EDR killer, and then executing the encryptor. This method provides a brief window for attackers to encrypt files without needing to constantly modify their payloads to evade detection.

Who's Being Targeted

In the world of ransomware-as-a-service, the division of labor is crucial. Operators provide the encryptor, while affiliates select the EDR killers. This approach leads to a greater diversity of EDR tools being used across different attacks. As a result, defenders face a wider array of EDR killers from a single ransomware brand, depending on which affiliate executed the attack. This complexity makes it more challenging for organizations to defend against such intrusions.

Signs of Infection

The most common method employed by attackers is the Bring Your Own Vulnerable Driver technique. This involves dropping a legitimate but vulnerable driver onto a victim's machine, which is then exploited to gain kernel-level access. However, a growing number of EDR killers can bypass this requirement entirely, using built-in administrative tools to disrupt EDR communication or suspend processes. Some of these tools even exhibit signs of AI-assisted development, complicating the threat landscape further.

How to Protect Yourself

To effectively defend against these evolving threats, organizations must implement proactive monitoring strategies. It's essential to focus on the stages of privilege escalation and driver installation, as these are critical points where EDR killers can be deployed. Blocking vulnerable drivers is a necessary step, but it is not sufficient on its own. Organizations need comprehensive controls to disrupt EDR killers before they can load, ensuring a more robust defense against ransomware intrusions.

As ransomware continues to adapt and evolve, defenders must prioritize resources and design detection strategies that account for the interactive and human-driven nature of these operations.

🔒 Pro insight: The rise of EDR killers necessitates a shift in defensive strategies, focusing on early detection of privilege escalation and driver installations.

Original article from

Help Net Security · Anamarija Pogorelec

Read Full Article

Share

Related Pings

HIGHMalware & Ransomware

Malware - Google Limits Android Accessibility API Access

Google is tightening access to Android's accessibility API to combat malware abuse. This affects apps not designed for accessibility, reducing risks for users. Enhanced protections aim to safeguard sensitive data from banking Trojans and other malicious software.

Help Net Security·
HIGHMalware & Ransomware

Perseus Malware - New Android Threat Targets User Notes

A new Android malware named Perseus is stealing sensitive information from user notes. It primarily targets financial institutions and crypto services in Turkey and Italy. Users should avoid sideloading apps and ensure their devices are secure.

BleepingComputer·
HIGHMalware & Ransomware

AI in Malware - Analyzing Current Trends and Impacts

Unit 42's latest research reveals how AI is transforming malware. With AI, attackers can create more sophisticated threats, putting users at risk. Stay informed and protected against these evolving dangers.

Palo Alto Unit 42·
HIGHMalware & Ransomware

Malware Alert - Backdoored Open VSX Extension Discovered

A popular code editor extension was found backdoored, silently installing malware on developer machines. Over 26,000 users are at risk. Immediate action is required to secure affected systems.

Cyber Security News·
HIGHMalware & Ransomware

Ransomware - Understanding the Exfiltration Playbook

Attackers are using everyday tools to steal data, complicating detection efforts. This shift poses a significant risk to organizations relying on cloud services. The Exfiltration Framework offers insights to help defenders identify these threats effectively.

Cisco Talos Intelligence·
HIGHMalware & Ransomware

Malware - WaterPlum Unleashes StoatWaffle in Supply Chain Attack

A new malware called StoatWaffle has been deployed by WaterPlum, a North Korea-linked group. This stealthy attack targets developers through compromised VSCode repositories. It poses significant risks by silently stealing sensitive data and providing attackers with remote access. Vigilance and security measures are crucial to combat this threat.

Cyber Security News·