Recent reports have highlighted RansomHub’s use of the EDR Kill Shifter, a tool specifically designed to disable or bypass Endpoint Detection and Response (EDR) solutions during ransomware attacks.
What is the EDR Kill Shifter?
EDR Kill Shifter targets EDR solutions on a compromised system. It is designed to manipulate or terminate EDR processes, so that attackers can move laterally within the network and execute ransomware payloads without detection or automated responses.
EDR Kill Shifter operates on two levels:
- Process Manipulation: The tool blocks core EDR processes by killing or moving them to a state without detection capabilities.
- Endpoint Persistence: When EDR is disabled, an attacker has persistent access to the endpoint and can deploy ransomware or start data exfiltration.
This enables attackers to maximize dwell time, deploy ransomware, and exfiltrate sensitive data undetected in RansomHub attacks.
Cybercrime and EDR Killers
EDR killers have been developed and sold on cybercrime forums for multiple years, but the pricing for these types of tools can range from thousands to even tens of thousands of dollars. This is primarily due to their specialized nature.
Image: An example of an EDR killer being sold on a cybercrime forum
Consider the advertisement from 2022 mentioned above. It showcases an extensive list of antivirus and EDR solutions that a particular EDR killer tool can disable. However, what’s even more noteworthy is that this tool has been consistently updated and maintained for two years.
Image: An example of SentinelOne and CrowdStrike being killed
You can see that in just February this year, the seller or author updated the tool to include capabilities to kill SentinelOne and CrowdStrike, which are two major EDR providers.
The Limitations of EDR
EDR solutions are intended to identify, isolate, and respond to malicious activities at the endpoint level but are not immune to targeted evasion tactics. Tools like EDR Kill Shifter exploit weaknesses in EDR solutions when deployed in an environment without additional security layers.
Key vulnerabilities in relying solely on EDR include:
- Single Point of Failure: Once an EDR solution is compromised, there are usually no immediate defenses left, leaving the system vulnerable.
- Post-Compromise Detection: EDR systems often detect threats after the initial compromise, meaning attackers may have already moved laterally or escalated privileges.
- Limited Visibility: EDR focuses on endpoint-level activities, lacking visibility into network-level or cloud-based threats that may bypass endpoint defenses.
- Evasion Techniques: For advanced attackers this may include fileless malware, polymorphic malware or EDR killer tools.
- High False Positives: EDR solutions may produce excessive false positives resulting in alert fatigue and possibly ignoring real threats.
- Resource Intensive: EDR solutions need big computational resources, which might impact endpoints performances, especially in resource constrained environments.
- Inconsistent Coverage: EDR is usually restricted to some endpoint types and leaves other devices like mobile or IoT systems vulnerable.
- Delayed Response: EDR can detect malicious activity, but the response is sometimes delayed allowing attackers time to carry out their objectives.
- Absence of Data Exfiltration Prevention: EDR focuses on detection and response but may not prevent data exfiltration during an active attack.
- Limited Automation: EDR solutions often require manual intervention for full remediation, which delays response to an attack if a team is unavailable or overwhelmed.
The Importance of ADX
BlackFog delivers a comprehensive cybersecurity solution designed to prevent these threats from succeeding, even when EDR is bypassed.
Our unique anti data exfiltration (ADX) technology acts as the final safeguard, blocking data from being transferred out of your network—whether attackers are deploying ransomware, spyware, or trying to leak sensitive information.
BlackFog proactively defends against the most advanced attack techniques, automatically blocking threats 24/7 and without the need for human intervention.
Our platform continuously monitors network behavior in real time, detecting suspicious activity like unauthorized attempts to contact command-and-control (C2) servers or export sensitive data.
Learn more about how BlackFog protects businesses from ransomware attacks and other cyberthreats.
Related Posts
Everything That You Need to Know About the Dark Web and Cybercrime
Learn about the dark web, including who uses it, how it operates, and what tools cybercriminals obtain on it. Find out how BlackFog monitors networks, forums, and ransomware leak sites in order to stay ahead of new threats.
Ongoing: New Ransomware Gangs in 2024
Ransomware gangs continue to break records and BlackFog will track all new ransomware gangs in 2024.
BlackFog unveils AI based anti data exfiltration (ADX) platform for ransomware and data loss prevention
BlackFog unveils the latest version of its AI based anti data exfiltration (ADX) platform for even more powerful ransomware and data loss prevention. Version 5 introduces new features including air gap protection, real-time geofencing, and baseline activity monitoring to ensure the highest level of cybersecurity protection.
EDR Kill Shifter: Why a Layered Cybersecurity Approach is Required
Learn how ransomware-as-a-service is simplifying ransomware tool creation and increasing ransomware attack accessibility in cybercrime. Find out how modern ransomware syndications use RaaS.
The Rise of Ransomware-as-a-Service and Decline of Custom Tool Development
Learn how ransomware-as-a-service is simplifying ransomware tool creation and increasing ransomware attack accessibility in cybercrime. Find out how modern ransomware syndications use RaaS.
The State of Ransomware 2024
BlackFog's state of ransomware report measures publicly disclosed and non-disclosed attacks globally.