Ransomware Gangs Expand Use of EDR Killers
In recent developments, ransomware gangs have significantly broadened their utilization of Endpoint Detection and Response (EDR) killers, moving beyond merely exploiting vulnerable drivers to incorporate a wide array of scripts, anti-rootkits, and innovative driverless techniques. This dramatic shift reflects the gangs’ adaptive strategies in the face of evolving cybersecurity defenses.
A comprehensive study, underpinned by telemetry data, reveals that nearly 90 distinct EDR killers are in active use across various cybercriminal operations. This alarming finding highlights a pressing concern, as these EDR killers have now become a fundamental and expected component in the contemporary landscape of ransomware operations.
Typically, in a ransomware attack, the initial step involves the attackers gaining elevated privileges within the target system. Following this, they deploy an EDR killer designed to blind or incapacitate the endpoint defenses before they proceed to initiate the ransomware encryptor. This sequence exemplifies a calculated and systematic approach, ensuring that the ransomware can carry out its malicious functions with minimal resistance.
The study categorizes nearly 90 active EDR killers, with a notable emphasis on the popularized BYOVD (Bring Your Own Vulnerable Driver) strategy. This method sees attackers utilizing legitimate yet vulnerable kernel drivers to disable protected processes or deactivate security callbacks. Interestingly, this study from ESET emphasizes that the selection of which EDR killer to deploy is typically made by affiliates rather than the primary ransomware operators. This division of labor results in a broader diversity of tools, as larger affiliate networks naturally produce an increased variety of EDR killers.
ESET has noted that these affiliates prefer using existing EDR killers, as modifying and re-engineering encryptors to evade detection is often a time-consuming task. This deliberate focus on leveraging established EDR killers simplifies the attacker’s workflow, allowing them to disrupt endpoint defenses rapidly.
Furthermore, ESET’s mapping of the cyber threat landscape has uncovered that attackers are increasingly leveraging legitimate anti-rootkit utilities like GMER, HRSword, and PC Hunter to terminate security processes. These tools can effectively utilize their own high-privilege drivers and graphical user interfaces (GUIs) to launch attacks against endpoint security measures.
In addition to existing methods, a new class of driverless EDR killers is emerging, incorporating tools like EDRSilencer and EDR-Freeze. These innovative approaches aim to obstruct EDR communications or freeze agents without the need to interact directly with the kernel, making them particularly attractive to ransomware actors. Such techniques are often more challenging to detect with traditional driver-focused defense mechanisms and have been adopted by cybercriminals within days following their public release.
ESET also cautions that an over-focus on driver-centric analysis may lead to misleading attribution. The same vulnerable driver can appear in disparate tools, and specific EDR killers can evolve across different drivers over time. For instance, drivers like BdApiUtil.sys and TfSysMon.sys have been repurposed across various codebases, including dead-av, TfSysMon-Killer, DLKiller, Susanoo, and EDRKillShifter, despite having different development histories.
The commercialization of EDR killers further complicates the cybersecurity landscape. EDR tools, such as DemoKiller and AbyssKiller, have been identified as being sold or rented to multiple gangs, including notorious groups like Qilin, Akira, and DragonForce. The proliferation of "packer-as-a-service" offerings, like VX Crypt, adds another layer of complexity, providing enhanced obfuscation and anti-analysis features that pose significant challenges for defenders.
In a noteworthy revelation, Intel from ESET points to signs of AI-assisted development in the creation of some recent EDR killers. While developing forensic markers to confirm AI use remains a challenge, researchers have identified tools linked with Warlock that exhibit behaviors indicative of AI-generated processes, such as generating lists of potential fixes and methodically cycling through common device names to identify vulnerabilities.
Consequently, relying exclusively on defense at the driver layer is no longer sufficient. ESET stresses that blocking known vulnerable drivers is a delayed response in the kill chain. By the time a driver load is impeded, attackers may have already secured elevated privileges and can swiftly switch tactics. This underscores the need for a prevention-first, multi-layered defense strategy aimed at detecting and disrupting EDR killers before they can be deployed.
ESET advocates for hardening against BYOVD attacks, maintaining vigilance against anti-rootkit misuse, and employing telemetry-driven efforts to identify instances of driverless disruption attempts. The complexities of enforcing driver signing, coupled with the widespread abuse of various drivers, complicates broad blocking strategies and renders timely detections critical.
In a world where human-operated ransomware attacks are becoming increasingly sophisticated, the need for organizations to respond both quickly and decisively at each step of the attack chain has never been more pressing. The evolving tactics of ransomware gangs underscore the need for continuous adaptation in cybersecurity defenses to protect sensitive data and maintain operational integrity.