Ransomware - EDR Killer Tactics Expand Beyond Drivers
Basically, ransomware attackers are finding new ways to bypass security software before encrypting files.
Ransomware actors are evolving their tactics, moving beyond exploiting vulnerable drivers to disable endpoint security. This shift poses serious risks to organizations, making it crucial to enhance defenses against these sophisticated attacks.
What Happened
Ransomware attackers are shifting their strategies to defeat endpoint security measures. For years, the Bring Your Own Vulnerable Driver (BYOVD) method was the primary tactic used to disable security tools. However, this approach has evolved. Attackers are now deploying a variety of methods, including script-based tools and legitimate anti-rootkit software, to silence security products before launching their attacks. This change reflects a crucial operational priority: ransomware affiliates need a reliable window to execute their encryptors without interruption.
Instead of making their encryptors invisible to security software, a challenging task, attackers have opted to outright destroy security protections. This has led to the emergence of EDR killers, tools specifically designed to disable endpoint detection and response software. Research shows that this trend is accelerating across both large and small ransomware groups, with nearly 90 EDR killers identified in active use.
Who's Being Targeted
The shift to more sophisticated EDR killer tactics poses significant risks for organizations of all sizes. Groups like Akira, Medusa, Qilin, RansomHouse, and DragonForce have been observed utilizing these commercial EDR killers sourced from underground markets. For instance, AbyssKiller, a tool that combines the ABYSSWORKER rootkit with a HeartCrypt-packed loader, has become prevalent in the wild. Another tool, CardSpaceKiller, is frequently used in attacks by multiple ransomware gangs, showcasing the widespread adoption of these tactics.
The impact of these developments is severe. Organizations are now facing attacks where their security tools are rendered ineffective before the encryption process even begins. This evolution in tactics highlights the growing sophistication of ransomware operations and the urgent need for enhanced security measures.
Tactics & Techniques
EDR killers have become the primary vehicle for defense evasion in ransomware operations. Attackers focus their technical expertise on these tools rather than on the encryptors themselves. Disrupting security software is simpler and more reliable than creating undetectable payloads. This division of labor has resulted in a market for powerful EDR killers that are accessible even to less skilled attackers.
Common techniques include separating the killer tool from the driver it exploits, allowing attackers to confirm successful driver loading before executing the EDR killer. Tools are often packed using products like VX Crypt and HeartCrypt to obfuscate their code and evade detection. Some tools even employ advanced techniques like control-flow flattening and string obfuscation to complicate analysis and detection.
Defensive Measures
Organizations must adapt their security strategies to counter these evolving threats. Blocking known vulnerable drivers is a necessary first step, but it is not sufficient on its own. Security teams should monitor for suspicious driver installation events and maintain blocklists of known vulnerabilities. Implementing a layered detection strategy through a managed detection and response provider or an internal security operations center is essential.
Restricting high-privilege access and ensuring proper network segmentation can reduce the window of opportunity for attackers deploying these tools. Strong endpoint telemetry is critical for maintaining visibility, even when one layer of protection is compromised. By staying informed and proactive, organizations can better defend against the growing threat of sophisticated ransomware attacks.
Cyber Security News