RansomHub ransomware operators have introduced a new malware, dubbed EDRKillShifter, to cripple security defenses in Bring Your Own Vulnerable Driver (BYOVD) attacks.
Discovered by Sophos in May 2024, the malware exploits a legitimate but vulnerable driver to escalate privileges, disable Endpoint Detection and Response (EDR) tools, and seize control of targeted systems.
During the incident in May, the threat actors – we estimate with moderate confidence that this tool is being used by multiple attackers — attempted to use EDRKillShifter to terminate Sophos protection on the targeted computer, but the tool failed,” Andreas Klopsch, a threat researcher at Sophos, wrote in the company’s blog.
“They then attempted to run the ransomware executable on the machine they controlled, but that also failed when the endpoint agent’s CryptoGuard feature was triggered.”
How EDRKillShifter Works
EDRKillShifter functions as a “loader” executable, designed to deliver a legitimate yet vulnerable driver—a tactic known as Bring Your Own Vulnerable Driver (BYOVD). Depending on the attacker’s needs, it can deploy various driver payloads.
The execution process involves three key steps:
- The attacker runs EDRKillShifter with a command line that includes a specific password.
- If the correct password is provided, the executable decrypts an embedded resource named BIN and loads it into memory.
- The BIN code then unpacks and executes the final payload, which is written in Go. This payload drops and exploits a vulnerable, legitimate driver to gain elevated privileges and disable EDR protections.
Mitigations and Advice
Sophos identifies EDRKillShifter as Troj/KillAV-KG and uses behavioral protection rules to block the system calls that enable defense evasion and privilege escalation. Businesses and individuals can further protect against driver abuse with these steps:
- Enable Tamper Protection: Ensure your endpoint security product has tamper protection enabled. This adds a crucial layer of defense against attacks. If you’re using Sophos products, activate tamper protection if it isn’t already turned on.
- Maintain Strong Windows Security Hygiene: This type of attack relies on the attacker gaining elevated privileges or admin rights. Enforcing strict separation between user and admin privileges can make it harder for attackers to load malicious drivers.
- Keep Your System Updated: Microsoft has been rolling out updates that de-certify signed drivers previously exploited in attacks. Regularly updating your system helps protect against these vulnerabilities.
