Ransomware Evolving: The Rise of Kernel-Level EDR Killers

In the ever-changing landscape of cybersecurity threats, ransomware has emerged as a formidable adversary, evolving in sophistication to bypass numerous endpoint security measures. At least a dozen ransomware gangs have now adopted kernel-level EDR (Endpoint Detection and Response) killers as part of their malware arsenal. This alarming trend has resulted in their ability to evade detection by nearly all major endpoint security tools currently on the market, allowing attackers to escalate privileges, steal and encrypt sensitive data, and extort their victims effectively.

The Emergence of Crypto24 Ransomware

A recent and notable player in this evolving cybercrime ecosystem is Crypto24, a ransomware strain that has reportedly targeted nearly two dozen companies in the US, Europe, and Asia since its debut in April. According to the criminals’ leak site, Crypto24 has set its sights on high-profile industries such as financial services, manufacturing, entertainment, and technology. Once these operators gain initial access to their victims’ networks, they cleverly deploy a customized version of RealBlindingEDR—a tool specifically designed to disable various endpoint security products.

RealBlindingEDR: A Tailored Evasion Tool

The modified version of RealBlindingEDR utilized by Crypto24 is particularly insidious. This open-source tool is programmed to disable kernel-level hooks from a list of 28 specific security vendors, which includes industry titans like Sophos, Trend Micro, Kaspersky, Malwarebytes, Bitdefender, and others. The method employed is deceptively straightforward but highly effective: the malware retrieves the security company’s name from the driver metadata and, upon finding a match, disables the related callbacks, rendering the EDR products ineffective.

Trend Micro researchers have observed one tactic where Crypto24 exploited the legitimate Group Policy utility, gpscript.exe, to execute the uninstallation of Trend Vision One—another security product. This move is particularly unsettling as it not only shows the depth of planning but also how attackers can leverage genuine system tools against their targets.

The Broader Landscape of EDR Killers

Aside from Crypto24, a host of other ransomware operators are embracing similar tactics. Sophos identified that at least eight additional gangs are using EDR killers prior to launching their ransomware attacks. This includes notorious families like Blacksuit, RansomHub, and Medusa. According to Sophos researchers Gabor Szappanos and Steeve Gaudreault, they have witnessed a consistent pattern in which the EDR killer is deployed followed promptly by the installation of ransomware.

A shared tool among these gangs is a newer build of EDRKillShifter, initially utilized by RansomHub back in August 2024. This tool exploits vulnerable drivers on Windows machines, allowing the termination of EDR products. Each gang has showcased unique builds of this tool, emphasizing a trend where specific variants of EDR killers are tailored for distinct operations.

Kernel-Level Access and Lateral Movement

The capability to disable EDR products through kernel-level access opens a substantial window for lateral movement within compromised networks. Sophos experts noted that RansomHub’s EDR killer tool can target security products from a variety of vendors, effectively stripping away the protective layers meant to keep organizations secure.

This kernel-level access not only allows ransomware perpetrators to execute their primary attacks but also enables them to maneuver laterally across infrastructures, extracting data and backdooring systems without raising alarms. Benson George, a senior principal product marketing manager at Aviatrix, emphasizes that disabling EDR on a single endpoint can lead to significant exploitation of unmonitored communication paths across modern cloud-connected networks.

The Dual Nature of EDR Killers

While many conversations center on how ransomware gangs utilize custom malware to disable EDR, it is crucial to note that some of these EDR killers are, in fact, legitimate software tools. Kendall McKay from Cisco Talos points out that their incident responders have encountered commercially available software like HRSword being misused in ransomware infections. Such legitimate tools are less likely to be identified and blocked by traditional security measures, further complicating defenses for organizations.

Conclusion: The Ongoing Threat Landscape

The evolving capabilities of ransomware gangs, particularly their incorporation of kernel-level EDR killers, represent a sophisticated threat to organizations across multiple industries. As these actors continue to refine their methodologies by employing both custom and legitimate tools for malfeasance, the call for robust security measures becomes increasingly urgent. The complexity and adaptability of these threats will require vigilance, innovation, and an evolving approach to cybersecurity in the battle against ransomware.