Source URL: https://www.theregister.com/2025/03/31/ransomware_crews_edr_killers/
Source: The Register
Title: Ransomware crews add ‘EDR killers’ to their arsenal – and some aren’t even malware
Feedly Summary: Crims are disabling security tools early in attacks, Talos says
interview Antivirus and endpoint security tools are falling short as ransomware crews increasingly deploy “EDR killers" to disable defenses early in the attack – a tactic Cisco Talos observed in most of the 2024 cases it handled.…
AI Summary and Description: Yes
Summary: The text discusses the increasing sophistication of ransomware attacks, specifically focusing on the emerging threat of “EDR killers” that disable endpoint detection and response (EDR) systems. As attackers use legitimate software tools like HRSword to evade detection, it emphasizes the need for organizations to properly configure security products and remain vigilant against evolving malware tactics.
Detailed Description: The article highlights the alarming trend in ransomware tactics where attackers deploy “EDR killers” to neutralize endpoint security measures early in their operations. This development poses significant risks to organizations by allowing intruders to operate undetected for longer periods. Here are the major points addressed:
– **Ransomware Tactics**:
– Ransomware groups are increasingly using specialized malware (e.g., EDRSilencer, EDRSandblast) to disable EDR systems.
– Success rates are alarming, with attackers achieving their goal 48% of the time.
– **Types of Tools Used**:
– Attackers employ a variety of “EDR killers” in a single operation, evolving their methods over time.
– Examples include EDRKillShifter, which exploits vulnerable drivers to terminate legitimate EDR products.
– **Use of Legitimate Software**:
– Attackers are repurposing legitimate software (e.g., HRSword) to disable endpoint protections, which makes detection by security systems more challenging.
– HRSword, initially developed by Huorong Network Technology, has been co-opted by ransomware groups to gain admin access and facilitate lateral movement across networks.
– **Prevention and Recovery Challenges**:
– Organizations may face failure in system recovery due to the stealthy nature of these attacks. Even when no ransomware is deployed, pre-ransomware activity necessitates thorough system evaluation and potential rebuilding of networks.
– Many existing EDR products are misconfigured or set to audit-only modes, leaving companies vulnerable.
– **Emerging Ransomware Groups**:
– The article highlights the persistent threat from ransomware-as-a-service groups like LockBit, which remained the most active despite significant law enforcement efforts.
– New entrants like RansomHub are making their mark, indicating a dynamic and evolving threat landscape.
– **Recommendations**:
– A call for organizations to place greater emphasis on monitoring, configuring security tools appropriately, and blocking known EDR killers preemptively.
This reflection on evolving ransomware techniques serves as a crucial insight for professionals in security and compliance, underlining the importance of proactive and holistic security strategies to counteract sophisticated threats leveraging both malware and legitimate tools.