Full Report
A new Endpoint Detection and Response (EDR) killer that is considered to be the evolution of 'EDRKillShifter,' developed by RansomHub, has been observed in attacks by eight different ransomware gangs. [...]
Analysis Summary
# Tool/Technique: New EDR Killer Tool
## Overview
A newly identified collection of tools utilized by at least eight different ransomware groups, designed specifically to evade or disable Endpoint Detection and Response (EDR) and antivirus (AV) solutions before malware deployment. The tool appears to be developed from a shared, collaborative framework rather than being a single leaked binary.
## Technical Details
- Type: Tool / Malware Primitive
- Platform: Windows (Inferred, targeting Windows security products)
- Capabilities: Disables or terminates security processes and services associated with common Endpoint Protection Platforms (EPP) and EDR solutions. Uses HeartCrypt packer.
- First Seen: Context implies recent discovery or increased usage timeframe around the time of the article's context (implied 2025 based on Sophos link reference).
## MITRE ATT&CK Mapping
Since the article does not provide specific TTP mappings for the primary function (disabling security software), general mappings for disabling security controls are used:
- **TA0005 - Defense Evasion**
- T1562 - Impair Defenses
- T1562.001 - Impair Defenses: Disable or Modify Tools
- T1562.007 - Impair Defenses: Disable or Modify System Firewalls (Potential corollary)
- **TA0004 - Privilege Escalation** (Implied, as disabling EDR often requires high privileges)
## Functionality
### Core Capabilities
- **EDR/AV Disabling:** Stops processes and associated services for major security vendors including Sophos, Microsoft Defender, Kaspersky, Symantec, Trend Micro, SentinelOne, Cylance, McAfee, F-Secure, HitmanPro, and Webroot.
- **Packing:** Utilizes the **HeartCrypt** mechanism for packing binaries across variants.
### Advanced Features
- **Collaborative Development:** Suggests a shared codebase or development methodology used by multiple, seemingly competing, threat actors, indicating a professionalized approach to security evasion development.
- **Variant Diversity:** Variants differ across driver names, targeted AVs, and specific build characteristics, suggesting ongoing modification within the framework.
## Indicators of Compromise
- File Hashes: [Available on a linked GitHub repository (sophoslabs/IoCs/blob/master/06082025-edrkiller-iocs.csv)]
- File Names: Not explicitly listed in the summary, but variants use different driver names.
- Registry Keys: Not specified.
- Network Indicators: Not specified.
- Behavioral Indicators: Termination of EDR/AV processes and services.
## Associated Threat Actors
- Eight different ransomware groups (unspecified names).
- Implied relationship or shared toolchain with actors using **EDRKillShifter** and **AuKill**.
- Actors previously associated with **AvNeutralizer** (sold by FIN7) who also operate ransomware groups like BlackBasta, AvosLocker, MedusaLocker, BlackCat, Trigona, and LockBit (These groups are associated with similar EDR killer tactics, suggesting connection or influence).
## Detection Methods
- Signature-based detection: Possible via HeartCrypt packer signature or known driver names (which vary).
- Behavioral detection: Monitoring for termination commands targeting security product processes/services.
- YARA rules: Implied availability via the linked IoC repository.
## Mitigation Strategies
- **Defense in Depth:** Ensure EDR/AV products are running with the highest available privileges and monitoring each other where possible.
- **Process Monitoring:** Implement strict monitoring and alerting on any processes attempting to terminate or modify the services of security software.
- **Patching/Hardening:** Addresses underlying vulnerabilities that grant the initial access required to deploy this tool.
## Related Tools/Techniques
- **EDRKillShifter** (Discovered by Sophos)
- **AuKill** (Used by Medusa Locker and LockBit)
- **AvNeutralizer** (Previously sold by FIN7 to various ransomware gangs)