A new tool designed to disable Endpoint Detection and Response (EDR) solutions is making waves in the cybersecurity world. Considered an evolution of the well-known "EDRKillShifter," this more advanced version has been linked to attacks carried out by at least eight ransomware groups, including RansomHub, Blacksuit, Medusa, Qilin, Dragonforce, Crytox, Lynx, and INC.
According to a report by Sophos, this tool—still unnamed officially—is actively being used to disable key defenses on compromised systems, facilitating the deployment of malicious payloads, privilege escalation, lateral movement within the network, and ultimately, the mass encryption of devices without detection.
In other words: ransomware operators are using this tool as a first step to leave networks defenseless before launching their attacks. And what’s most concerning is that this isn’t an isolated case. This technique is already becoming a recurring pattern among increasingly organized ransomware gangs.
How EDR Killer Works to Evade Detection and Disable Security
The new tool known as EDR Killer takes stealth to another level. It uses a highly obfuscated binary that self-decodes in real time and then injects itself into legitimate system processes, making it extremely difficult for security solutions to detect.
Once inside, the tool looks for a digitally signed driver, which may have been signed with a stolen or even expired certificate. This driver has a random five-character name and is encoded within the executable, adding yet another layer of evasion.
Stolen and expired certificate used by malicious driver (Source: Sophos)
If it manages to find one, the next step is critical: loading that driver directly into the system’s kernel. This enables a BYOVD (Bring Your Own Vulnerable Driver) attack—a well-known technique used by attackers to gain kernel-level privileges and, from there, freely disable security products.
Once active, the malicious driver disguises itself as a legitimate file, impersonating well-known components such as the CrowdStrike Falcon Sensor Driver. But beneath that innocent façade, its purpose is clear: terminate active antivirus and EDR processes and stop services associated with security tools.
Among the vendors most affected by this tactic are Sophos, Microsoft Defender, Kaspersky, Symantec, Trend Micro, SentinelOne, Cylance, McAfee, F-Secure, HitmanPro, and Webroot. In other words, the biggest names in the industry.
While there are variants of this new EDR Killer tool (which differ in driver names, targeted antivirus engines, and build options), they all share one common element: the use of a packer called HeartCrypt. This suggests cooperation between ransomware groups—even among rivals.
Read more: Ghost Calls: Tactic Turns Zoom and Teams Into Attack Channels
Shared Use of EDR Killer Tools Among Ransomware Gangs
According to Sophos, it’s not simply a matter of one version of the tool being leaked and then copied by others. Instead, it's believed that these versions are part of a shared framework, collaboratively developed by multiple malicious actors.
“To be clear, it’s not that a single EDR killer binary was leaked and shared among threat actors. Rather, each attack used a different version of the proprietary tool,” Sophos explained.
This sharing of tools is nothing new in the ransomware ecosystem. In fact, alongside this evolution of EDRKillShifter, Sophos also identified another tool called AuKill, which was used by Medusa Locker and LockBit in recent campaigns.
Meanwhile, SentinelOne revealed in 2023 that FIN7, a well-known cybercriminal group, was selling its own custom tool called AvNeutralizer to multiple ransomware gangs, including BlackBasta, AvosLocker, MedusaLocker, BlackCat, Trigona, and once again, LockBit.
If you want to dive deeper into the indicators of compromise (IOCs) related to this new wave of EDR-killing tools, you can check them out in the official GitHub repository where they’ve been collected.