Multiple Ransomware Groups are Using Tool to Kill EDR Defenses: Sophos
Researchers with cybersecurity firm Sophos last year detailed the rise of EDRKillShifter, a malicious tool developed by the RansomHub ransomware group to help its affiliates terminate endpoint detection and response (EDR) defenses in compromised systems.
It was part of a fast-moving trend that Sophos and other security vendors, such as ESET, have seen over the past several years in the growing sophistication of malware used to disable EDR systems in the early stages of a ransomware attack.
“EDRKillShifter quickly gained popularity among ransomware affiliates, and … they don’t use it exclusively in RansomHub intrusions,” ESET researchers wrote in a report in March. “However, it is not the only EDR killer out there; in fact, ESET researchers have observed an increase in the variety of EDR killers used by ransomware affiliates.”
In a report this week, Sophos researcher wrote that EDRKillShifter has since been “made obsolete” by a new EDR killer malware found in packets of payloads available via the HeartCrypt packer-as-a-service (PaaS) operation that is used to obfuscate malware and evade detection by antivirus and analysis tools.
Working Together
Various versions of the EDR killer target a range of EDR tools from more than a dozen cybersecurity vendors, including Sophos, Fortinet, Microsoft, McAfee, SentinelOne, Trend Micro and Symantec, according to Sophos.
Just as troubling, it is being used by multiple ransomware groups and their affiliates – Blacksuit, Medusa, Qilin and INC among them – raising the specter that the competing bad actors are sharing tools and technical knowledge among themselves, according to the report’s authors, Gabor Szappanos, threat research director at Sophos, and Steeve Gaudreault, senior threat researcher.
“It’s not that a single binary of the EDR killer leaked out and was shared between threat actors,” Szappanos and Gaudreault wrote. “Instead, each attack used a different build of the proprietary tool. In addition, all variants were then packed with the subscription-based HeartCrypt packer-as-a-service. This may therefore be at least somewhat coordinated.”
A Complex Ransomware Ecosystem
It could be that information about using HeartCrypt for this purposed was passed along in channels that threat actors use, or – less likely – a coincidence that all these ransomware groups chose to buy the same off-the-shelf anti-EDR tool, they wrote.
That said, ESET researchers in their report wrote about similar information sharing among bad actors.
“This suggests that the ransomware ecosystem is more complicated than a collection of competing and fighting ransomware groups,” the Sophos researchers wrote. “Yet another headache for defenders.”
HeartCrypt Packer-as-a-Service
Szappanos and Gaudreault focused on an antivirus killer tool found in HeartCrypt, noting that it’s been detected by other vendors, including Cylerian and possibly as far back as January 2024 by Palo Alto Networks, during ongoing ransomware attacks. Development of HeartCrypt began in 2023 and it was launched in February 2024. It’s been used to pack more than 2,000 malicious payloads since, according to Palto Alto Networks’ Unit 42 group.
The distributor of HeartCrypt markets the PaaS on various forums, such as Telegram and BlackHatForums, Unit 42 researchers wrote late last year. Customer submit their malware through Telegram or other private messaging services, and the operator packs and returns it as a new binary. To obfuscate the malware, HeartCrypt injects malicious code into legitimate executable files, which makes it appear to be legitimate software and difficult for antivirus tools to detect.
Sophos said that in one incident, researchers saw the EDR killer content was inserted into the Clipboard Compare tool in Beyond Compare, software created by Scooter Software to merge and synchronize data. In this case, the malicious code targeted Sophos’ products.
Sophos alerted Scooter to the situation, with the software company saying its installer, executables, and DLLs are all code-signed.
“The loader code was injected near the entry point, and the malicious payload and additional loader components were inserted as resources,” Szappanos and Gaudreault wrote. “Upon execution, the payload decodes itself – it is, in fact, a heavily protected executable.”
Multiple Versions of EDR Killer
The heavy protection is among a number of significant characteristics of the EDR killer. It also looks for a driver with a five-letter random name, targets multiple security vendors, and the driver is signed with a compromised certificate. The list of targets also varies among samples of the malware.
“There are many different versions of this tool,” Sophos researchers wrote. “The actual list of targeted security products varies widely between them – sometimes only one or two are specifically targeted, other times a larger list.”
They added that “in a typical attack scenario, we observed the attempted execution of the HeartCrypt-packed dropper. It would drop a heavily protected EDR killer executable, which in turn loads a driver signed by a compromised signature.”
In a case in June involving the INC ransomware group, the EDR killer used an additional layer of packaging, with the attacker using two different PaaS offerings for a layered protection.
