Ransomware crews add 'EDR killers' to their arsenal

interview Antivirus and endpoint security tools are falling short as ransomware crews increasingly deploy "EDR killers" to disable defenses early in the attack – a tactic Cisco Talos observed in most of the 2024 cases it handled. "When ransomware actors attempted to do that, they were successful 48 percent of the time," Kendall McKay, strategic lead at Talos, told The Register . "And not only did we see this very frequently, but we saw ransomware actors attempt to do this very early on in their operations.

We're seeing this category of malware, EDR killers, and it's really evolving." McKay said the infoseccers were seeing the attackers "use several different types of those tools in the same operation." Ransomware crews are increasingly using programs like EDRSilencer, EDRSandblast, EDRKillShifter, and Terminator to either modify or completely disable endpoint detection and response (EDR) products.

The malware has different ways of accomplishing this. EDRKillShifter, for example, first seen deployed by RansomHub in August 2024, exploits legitimate but vulnerable drivers on Windows machines to terminate EDR products. More recently, ESET researchers spotted this custom EDR killer being repurposed by rival gangs like Medusa, BianLian, and Play.

We're seeing this category of malware, EDR killers, and it's really evolving. And we're seeing..

. several different types of those tools in the same operation Regardless of the malware used, the goal is typically the same: kill EDR protections, allow the criminals to remain undetected for longer in the compromised networks, and then help them to steal sensitive data and deploy ransomware before being caught and kicked out. Plus, this makes system recovery even more difficult for compromised organizations.

"Especially in the ransomware space, system recovery is such an important part of the remediation process," McKay said. Even if there's no evidence of the digital intruders stealing any data or encrypting files, "if you've seen pre-ransomware activity, short of ransomware deployment on your system, you're probably going to want to do system recovery anyway because you don't know what the extent of the damage is, and you don't know the extent of the files that were accessed." That recovery often means wiping and rebuilding entire networks – assuming you've got solid backups – to make sure intruders are fully evicted and haven't left behind any backdoors for a return visit.

"As this evolving bucket of threats becomes more mainstream ...

there's really going to need to be a greater emphasis on monitoring and blocking those known EDR killers from the start," she added. Not all EDR killers are malware. Talos incident responders came across one legitimate software tool called HRSword in a couple of different ransomware infections that they were called in to investigate.

"It's a legitimate commercial tool, but now threat actors are co-opting it for their own purposes," McKay noted. HRSword is part of a security software suite developed by China-based Huorong Network Technology. It is designed to monitor system activity – including processes, files, registries, and network traffic – as part of endpoint protection.

Like other legitimate tools repurposed by criminals – we're looking at you, Cobalt Strike – HRSword has been abused by ransomware crews to disable endpoint protection systems. Because it's a legitimate product, it's less likely to be detected and blocked by antivirus and security systems that organizations use to protect their computers. In one 2024 case during which Talos responded to a GlobeImposter ransomware infection, the intruders gained admin-level access and executed HRSword to disable the victim's EDR system early on in the attack.

They then deployed a series of other legitimate tools repurposed for remote access and control, allowing them to move through the network and search for sensitive data to steal. After HRSword was deployed, "we also saw Netsupport RAT, Smbexec, Wmiexec, and all these other tools to facilitate lateral movement," McKay said. In another incident tied to a Phobos ransomware attack, the miscreants again started with HRSword.

"We also saw a second tool deployed from the same protection suite HRSword belongs to," McKay said, adding that it was likely used to sideload malicious DLLs. They were going after those out-of-the-box products that had not been configured specifically for that organization "When we talk about threat actor tooling and other patterns, [they are] wanting to hide in plain sight," McKay said. "Using HRSword is a way to do that because it's a legitimate tool, and it should be occurring legitimately on many systems.

With threat actors using that to kick off their operations, it's much more likely to go undetected." Attackers aren't just outright removing security products to jumpstart ransomware infections, however. In some cases, they modify the victims' defenses, such as adding firewall rules to open remote access into internal systems.

In other cases, Talos observed attackers abusing poorly configured security products, those that companies simply plugged in and started using. "They were going after those out-of-the-box products that had not been configured specifically for that organization," McKay said. "This was perhaps the most concerning for us, because it's such a low-hanging fruit and something that can easily be prevented by organizations.

" Often this involved EDR products set to audit-only mode, meaning that the tool would detect malicious activity – but not block it. "And in fact, we repeatedly saw alerts in certain incident response engagements for initial compromise, followed by alerts on suspicious behaviors for privilege escalation, lateral movement, and execution of malicious payload without any of those being blocked or actioned," McKay added. McKay spoke with The Register ahead of Talos's annual year in review report , set to publish today, and for the third year in a row, LockBit remained the most active ransomware-as-a-service (RaaS) group, based on the threat-hunting team's monitoring of leak sites.

LockBit affiliates accounted for 16 percent of the claimed attacks in 2024. This is in spite of its takedown by law enforcement early last year. "For us, that's pretty remarkable, given how dynamic that space is where you're seeing groups you shut down, or rebrand, or new groups emerge, or law enforcement action being taken," McKay said.

"To see LockBit stay at the top for such a long time really caught our attention this year." The report does note that LockBit's builder was leaked in September 2022, and this likely contributed to the ransomware's dominance. Perhaps unsurprisingly for anyone following the cybercriminal scene, newcomer RansomHub , first seen in February 2024, came in second with 11 percent of posts to leak sites.

"The differentiator really seems to be: does law enforcement release a decryptor as part of the takedown operations? For LockBit, that was not the case," McKay noted, adding that it becomes more like a game of whack-a-mole "if you don't get the decryption tool out there for victims." ®.