Antivirus and endpoint security tools are increasingly challenged as ransomware groups adopt sophisticated strategies to disable defenses early in their attacks. This trend has been notably observed by Cisco Talos, which reported that in nearly half of the ransomware incidents they handled in 2024, attackers successfully employed “EDR killers” to neutralize endpoint detection and response (EDR) systems.
According to Kendall McKay, strategic lead at Talos, the frequency of these attacks is alarming. “When ransomware actors attempted to do that, they were successful 48 percent of the time,” she shared in an interview with The Register. The evolving nature of this malware category, which includes tools such as EDRSilencer, EDRSandblast, EDRKillShifter, and Terminator, poses significant threats to organizational security.
These EDR killers utilize various methods to achieve their objectives. For instance, EDRKillShifter, first identified in August 2024 by RansomHub, exploits legitimate yet vulnerable drivers on Windows machines to terminate EDR products. This tactic has been observed in operations by rival gangs such as Medusa, BianLian, and Play, indicating a concerning trend in the ransomware landscape.
Impact on System Recovery
The primary goal of these malicious tools is to disable EDR protections, allowing attackers to operate undetected within compromised networks. This not only facilitates data theft but also complicates system recovery efforts for affected organizations. McKay emphasized the importance of recovery in the ransomware context, noting, “System recovery is such an important part of the remediation process.” Even in cases where no data appears to be stolen or files encrypted, the presence of pre-ransomware activity necessitates a thorough system recovery to assess potential damage.
Recovery often entails wiping and rebuilding entire networks, provided that robust backups are available. This ensures that intruders are entirely expelled and that no backdoors remain for future access. “As this evolving bucket of threats becomes more mainstream, there will need to be a greater emphasis on monitoring and blocking those known EDR killers from the start,” McKay added.
‘Hiding in Plain Sight’
Interestingly, not all EDR killers are inherently malicious. Talos incident responders have encountered legitimate software tools, such as HRSword, being exploited by ransomware actors. This commercial tool, developed by Huorong Network Technology, is designed for monitoring system activity and is now being misused to disable endpoint protection systems.
Because HRSword is a legitimate product, it is less likely to be detected by conventional antivirus and security systems. In one instance involving a GlobeImposter ransomware infection, attackers gained administrative access and deployed HRSword to disable the victim’s EDR system early in their operation. Following this, they utilized a series of other legitimate tools to navigate the network and extract sensitive data.
In another case linked to a Phobos ransomware attack, the attackers also initiated their operation with HRSword, further demonstrating the trend of utilizing legitimate tools for nefarious purposes. “They were going after those out-of-the-box products that had not been configured specifically for that organization,” McKay noted, highlighting the ease with which attackers can exploit misconfigured systems.
Modifying Defenses and Exploiting Misconfigurations
In addition to outright disabling security products, attackers are also modifying existing defenses. This includes altering firewall rules to create remote access into internal systems. Talos has observed that many organizations deploy security products without proper configuration, leaving them vulnerable to exploitation.
McKay pointed out that poorly configured EDR products, particularly those set to audit-only mode, are especially concerning. In such cases, the tools may detect malicious activity but fail to block it. “We repeatedly saw alerts for initial compromise followed by alerts on suspicious behaviors without any of those being blocked or actioned,” she explained.
Ransomware Landscape: LockBit and RansomHub
As Talos prepares to release its annual year-in-review report, McKay noted that LockBit has maintained its position as the most active ransomware-as-a-service (RaaS) group for the third consecutive year. LockBit affiliates accounted for 16 percent of claimed attacks in 2024, despite the group’s takedown by law enforcement early last year. “To see LockBit stay at the top for such a long time really caught our attention this year,” McKay remarked.
In a notable shift, newcomer RansomHub, which emerged in February 2024, secured the second position with 11 percent of posts to leak sites. McKay attributed this dynamic to the effectiveness of law enforcement actions, stating, “The differentiator really seems to be: does law enforcement release a decryptor as part of the takedown operations?” This ongoing battle between cybercriminals and law enforcement continues to shape the landscape of ransomware threats.
