RansomHub Group Deploys New EDR-Killing Tool in Latest Cyber Attacks

A group of cybercriminals associated with the RansomHub ransomware has been detected using a new tool specifically designed to disable endpoint detection and response (EDR) software on compromised systems. This tool, known as EDRKill

Discovered by cybersecurity firm Sophos in connection with a failed ransomware attack in May 2024, EDRKillShifter is classified as a “loader” executable. It functions as a delivery mechanism for a legitimate but vulnerable driver, also known as a “bring your own vulnerable driver” (BYOVD) tool. According to security researcher Andreas Klopsch, this tool can deploy various driver payloads depending on the vulnerability.

RansomHub, which appeared in February 2024 as a renamed version of Knight ransomware, exploits known security vulnerabilities to obtain threat information.

In a recent update, Microsoft revealed that cybercrime group Scattered Spider has added ransomware strains like RansomHub and Qilin to its toolbox. EDRKillShifter operates via a command-line interface requiring password entry, decrypting an embedded resource named BIN and executing it in memory. This BIN resource then decompresses and executes an obfuscated Go-based payload, which uses various vulnerable and legitimate drivers to elevate privileges and disable the EDR software.

Source: https://thehackernews.com/2024/08/ransomhub-group-deploys-new-edr-killing.html