A new Endpoint Detection and Response (EDR) killer that is considered to be the evolution of 'EDRKillShifter,' developed by RansomHub, has been observed in attacks by eight different ransomware gangs.

Such tools help ransomware operators turn off security products on breached systems so they can deploy payloads, escalate privileges, attempt lateral movement, and ultimately encrypt devices on the network without being detected.

According to Sophos security researchers, the new tool, which wasn't given a specific name, is used by RansomHub, Blacksuit, Medusa, Qilin, Dragonforce, Crytox, Lynx, and INC.

The new EDR killer tool uses a heavily obfuscated binary that is self-decoded at runtime and injected into legitimate applications.

The tool searches for a digitally signed (stolen or expir

See Full Page