Ethical Hacking News
Ransomware gangs have taken a new approach by incorporating kernel-level EDR killers into their malware arsenal, allowing them to bypass even the most advanced endpoint security tools. This shift highlights the evolving nature of ransomware attacks and the need for organizations to adapt their defenses accordingly.
Ransomware gangs have incorporated kernel-level EDR killers into their malware arsenal, rendering endpoint security tools nearly useless.At least a dozen ransomware gangs use customized versions of RealBlindingEDR to disable endpoint detection and response products.Crypto24's custom version of RealBlindingEDR disables kernel-level hooks from 28 security vendors, including Sophos.Ransomware attackers retrieve security company names from driver metadata and compare them to a hardcoded list to disable EDR products.Other gangs are using updated versions of EDRKillShifter to terminate EDR products on Windows machines.Attackers use legitimate software tools like HRSword to disable endpoint protections, making them less detectable.Experts warn that stopping ransomware attacks requires having controls in place even when endpoint telemetry is disabled or bypassed.
Ransomware gangs have long been known for their cunning and ruthless tactics when it comes to extorting money from victims. However, in recent times, these groups have taken a new approach that allows them to bypass even the most advanced endpoint security tools, rendering them nearly useless against ransomware attacks.
According to experts at Sophos, at least a dozen ransomware gangs have incorporated kernel-level EDR killers into their malware arsenal. These custom-built tools are designed to disable endpoint detection and response products, allowing the attackers to escalate privileges, steal and encrypt data before extorting victims into paying a ransom.
One of the most recent examples includes the operators of Crypto24, a new-ish ransomware that has been deployed against nearly two dozen companies in the US, Europe, and Asia since April. The miscreants' leak site revealed that these attackers target high-profile companies in financial services, manufacturing, entertainment, and technology. After gaining initial access to victim organizations, one way they evade detection is by using a customized version of RealBlindingEDR.
RealBlindingEDR is an open-source tool designed to disable endpoint detection and response products. Crypto24's custom version is programmed to disable kernel-level hooks from a hardcoded list of 28 security vendors, including Sophos, Trend Micro, Kaspersky, Malwarebytes, Bitdefender, Broadcom/Symantec, SentinelOne, Cisco, Fortinet, and Citrix.
These attackers retrieve the security company's name from driver metadata, compare it to the hardcoded list, and if there's a match, they disable callbacks, rendering the EDR products useless. This is not unique to Crypto24, as at least eight other crews are disabling endpoint security defenses before deploying ransomware, according to Sophos.
These gangs are using updated versions of EDRKillShifter, which was first seen deployed by RansomHub in August 2024. It exploits legitimate but vulnerable drivers on Windows machines to terminate EDR products and was later repurposed by rival gangs like Medusa, BianLian, and Play. Each attack uses a different build of the proprietary tool.
Moreover, the attackers are using legitimate software tools to disable endpoint protections, such as HRSword, which is a commercial product that has been co-opted for nefarious purposes. Because it's a legitimate product, it's less likely to be detected and blocked by organizations' security products.
Experts warn that once ransomware operators gain access to a network, they can move laterally across today's cloud-connected network fabric using the largely unmonitored communication paths between VPCs, Kubernetes clusters, and APIs. This means that even if endpoint telemetry is disabled or bypassed, the real danger lies in how these attackers exploit the communication paths within the network.
Stopping ransomware attacks requires having controls that work even when endpoint telemetry is gone, according to Benson George, a senior principal product marketing manager at Aviatrix. "Most commentary so far has focused on endpoint defenses being bypassed by these new kernel-level EDR killers — but that's only half the story," he said.
In an earlier interview, Kendall McKay, strategic lead at Cisco Talos, told The Register that Talos' incident responders came across a commercial software tool called HRSword in a couple of different ransomware infections they were called in to investigate. "Threat actors are co-opting it for their own purposes," McKay said.
Related Information:
https://www.ethicalhackingnews.com/articles/Ransomwares-Latest-Gambit-EDR-Killers-Allow-Gangs-to-Bypass-Endpoint-Security-ehn.shtml
https://go.theregister.com/feed/www.theregister.com/2025/08/14/edr_killers_ransomware/
Published: Thu Aug 14 17:53:29 2025 by llama3.2 3B Q4_K_M
