An Eastern European multi-layered cybercrime syndicate called RansomHub, which has upped its game through the release of a new tool that targets the neutralization of endpoint detection and response (EDR) systems. This has been described by the cybersecurity researchers at Sophos as EDRKillShifter, thus representing the next level in the cyber war between the perpetrators and the protectors.
RansomHub is believed to be a new edition of the Knight ransomware group, which has been causing trouble to organizations globally. The group’s preference for attacking critical structural systems and high-stakes companies has placed it under immense scrutiny relative to cybersecurity. The introduction of EDRKillShifter to the mix simply points to the group’s never-ending struggle in sidestepping detection and eradicating security solutions.
EDRKillShifter runs as a ‘loader’ executable, which can then load a variety of drivers for a number of attack objectives. It also makes the tool very flexible, as the threat actors can assemble a form of attack that will fit the environment of the targeted system. As Sophos was able to jump over an attempt at an attack by using EDRKillShifter, the finding is rather concerning one of the constantly changing approaches adopted by cyber attackers.
To circumvent EDR solutions is another major strength that ransomware groups operate now. These security tools help the organization to identify and counter any malicious activities in the organizational network. When EDR is turned off, the attackers can move about more freely, causing more damage to the system and injecting its nasty payloads without much interference and stealing organizational data before they are detected.
It is critical to compose a layered defence against adversaries’ growing narrative in malware capability, which overlaps EDR solutions. Leaders and managers have to focus on the necessity of the presence of powerful security systems in organizations, as well as threat identification, the means of responding to incidents, and raising awareness of cybersecurity measures among employees. Another necessary procedure is security reviews and penetration tests that may determine less protected areas that are successfully exploitable by the adversaries.
