Ransomware Rises: EDR Killer Exploited by Cyber Criminals
Multiple ransomware groups are now leveraging a new tool called EDR Killer (Endpoint Detection and Response) to target cybersecurity systems. According to a recent study by Sophos, ransomware groups such as BlackSuit, Medusa, Killin, DragonForce, and INC, along with various underground marketplaces, are using EDR Killer to bypass and attack EDR systems. Several cyberattacks have confirmed the deployment of this tool.
Sophos’ research indicates that since 2022, as organizations increasingly adopt endpoint security tools, malware has evolved to disable EDR systems effectively. The latest antivirus-killing tools identified by Sophos have been distributed as HeartCrypt services, often using stolen data. The attacks target products from major cybersecurity companies, including Sophos, Bitdefender, SentinelOne, Microsoft, McAfee, and Webroot.
The workings of the EDR tool, its use across multiple ransomware attacks, and its detection patterns are detailed in Sophos’ report titled “Shared Secret: EDR Killer in the Kill Chain.” The study highlights emerging trends in ransomware attacks and demonstrates how competing cybercriminal groups are employing similar custom tools for their operations.
