in brief Malware that kills Endpoint Detection and Response (EDR) software has been spotted on the scene and given that it uses RansomHub, it may soon become productive.
GitHub artifact alert, RansomHub's EDR killer, SolarWind's latest hotfix
Discovered by Sophos analysts after a failed attack and dubbed EDRKillShifter, the malware exploits legitimate but vulnerable drivers on Windows machines to deliver ransomware to targets.
Both variants tested by Sophos analysts use known vulnerable drivers with publicly available proof of concept, with the ultimate goal of shutting down endpoint detection and response software and compromising the victim's machine. The tactic of using publicly known driver vulnerabilities is common for EDR-killing malware, Sophos said.
RansomHub – which appeared earlier this year and has quickly become one of the most used tools by ransomware actors – indicates that EDRKillShifter may already be on the way to becoming a serious threat. However, a look inside the malware indicates that it is not as dangerous as it appears at first glance, provided appropriate precautions are taken.
