Adrian Johnson
TLDR: RansomHub-linked EDR-Killing Malware Summary
– Malware called EDRkillShifter has been discovered, which targets endpoint detection and response (EDR) software using known vulnerable drivers.
– The malware leverages legitimate but vulnerable drivers on Windows machines to deliver ransomware to targets.
– Sophos analysts discovered the malware after a failed attack and note that it uses publicly-known driver vulnerabilities to shut down EDR software and ransom the victim’s machine.
Key Points of the Article:
Malware that kills endpoint detection and response (EDR) software has been spotted in the wild. Known as EDRkillShifter, the malware leverages vulnerable drivers on Windows machines to deliver ransomware to targets. The malware uses publicly-known vulnerabilities in drivers to shut down EDR software, with the ultimate goal of ransoming the victim’s machine. Even though the malware requires elevated privileges to execute, it poses a serious threat due to its association with RansomHub, a widely used ransomware tool.
Sophos researchers recommend practicing good Windows security role hygiene to prevent EDRkillShifter attacks, such as separating users from administrators, enabling tamper protection on EDR software, and keeping systems and drivers updated. Additionally, organizations running NetSuite SuiteCommerce or SiteBuilder should review their setups to prevent the leakage of customer personally identifiable information (PII), as externally-facing NetSuite sites have been found to be exploitable.
In addition to EDRkillShifter, critical vulnerabilities in SolarWinds and data breaches in industries like gold mining, healthcare, and education highlight the ongoing threat landscape. ReliaQuest’s report on the top five malware variants in Q2 2024 emphasizes the need for organizations to strengthen their security systems against evolving threats.
