Cybercriminals are increasingly turning to a new breed of malicious tools designed to disable Endpoint Detection and Response (EDR) systems, significantly undermining traditional cybersecurity defenses. A powerful EDR-killer tool, evolving from the earlier ‘EDRKillShifter’ utility attributed to the RansomHub group, has now surfaced in the tactics of at least eight ransomware gangs. These include RansomHub, Blacksuit, Medusa, Qilin, Dragonforce, Crytox, Lynx, and INC.
This collaborative use of anti-defensive techniques marks a critical shift in the ransomware landscape. Defenders must now combat not only standalone exploitation techniques but also modular tools tailored to dismantle endpoint security before ransomware payloads are even introduced.
EDR Killers Are Becoming Core Components of Ransomware Toolkits
Traditional endpoint security solutions are increasingly falling prey to highly customized EDR-killer tools. These tools are deployed early in the attack chain, clearing the way for aggressive malware such as MedusaLocker by neutralizing detection and response systems.
Advanced Obfuscation Techniques Enable Covert Activity
The new EDR-killer is built around a heavily obfuscated binary. At runtime, it self-decodes and injects malicious code into legitimate, signed applications. This allows threat actors to fly under the radar of many static and behavioral antivirus engines.
A standout component of the tool is its reliance on compromised or expired certificates to masquerade as legitimate signed drivers. It specifically searches for drivers with five-character, randomized names, using stolen digital signatures to load them into the system undetected.
HeartCrypt Packer-as-a-Service Supercharges Evasion
At the core of this offensive framework lies HeartCrypt—a subscription-based packer-as-a-service developed by RansomHub. HeartCrypt enables multi-stage payload encryption and uses sophisticated resource obfuscation, making traditional malware analysis and signature detection nearly ineffective. Sophos has identified HeartCrypt as the primary packer used across variants of the new EDR killers, underscoring its adoption in the ransomware-as-a-service (RaaS) ecosystem.
All eight known ransomware groups leveraging this EDR killer use HeartCrypt to package unique builds. Differences include renamed kernel drivers, altered targeted antivirus vendors, and tweaks to packing structure. This modularity highlights how attackers customize their strikes while maintaining the same core logic.
BYOVD Exploits Legitimate Drivers With Malicious Intent
A central element of the tool is its use of the Bring Your Own Vulnerable Driver (BYOVD) tactic. This approach involves loading a driver with a known vulnerability into the Windows kernel to disable endpoint protection.
Malicious Drivers Disguise as CrowdStrike, Others
The driver used most frequently in campaigns mimics the legitimate CrowdStrike Falcon Sensor driver and has been nicknamed ‘ABYSSWORKER’ in Medusa ransomware incidents. By abusing trusted security software identities, ransomware groups gain privileged access and manipulate kernel-level operations to eliminate defenses.
Affected security vendors include:
- Sophos
- Microsoft Defender
- Kaspersky
- Symantec
- Trend Micro
- SentinelOne
- Cylance
- McAfee
- F-Secure
- HitmanPro
- Webroot
Once these tools are terminated, attackers deploy ransomware such as MedusaLocker with minimal resistance from the host system.
Real-World Attacks Amplify the Threat of EDR Killers
Several documented attacks illustrate the danger posed by this evolving threat class. One highlighted case involved a zero-day Remote Code Execution (RCE) vulnerability in the SimpleHelp remote access tool to gain initial access, after which the attacker deployed the new EDR killer and then dropped MedusaLocker ransomware.
Researchers have also identified legitimate applications, like Beyond Compare’s Clipboard Compare utility, trojanized to carry malicious payloads. This shows how adversaries exploit trusted software as vehicles for delivery and execution, making it even more difficult to detect unauthorized behavior.
Collaboration Among Threat Groups Signals Industrialization of Ransomware
What stands out most is the apparent coordination among ransomware operators. The consistent yet uniquely built versions of the EDR killer seen across different groups—combined with shared use of HeartCrypt and the BYOVD technique—point not to a single leaked binary, but to an evolving cyber-crime-as-a-service ecosystem.
This model transforms ransomware deployment into a modular, on-demand service. Adversaries can license proven EDR-killer components and integrate them into broader toolchains, streamlining mass exploitation operations.
Actionable Defense Tactics for Securing Endpoint Environments
Given the increasing sophistication of these EDR-killer tools, defenders must evolve beyond signature-based antivirus and adopt behavioral and memory-based analysis.
Recommended steps include:
- Implement Tamper Protection – Ensure that endpoint protection tools cannot be disabled externally without adequate verification.
- Enable Behavioral Monitoring – These techniques are more effective against tools that use runtime decoding and obfuscation.
- Monitor Signed Driver Loads – Alert on any unexpected loading of signed drivers, especially those with generic or randomized names.
- Audit and Limit Privileges – Harden Windows systems by restricting local administrative rights and monitoring role escalation attempts.
- Patch and Update Frequently – Eliminate exploitable software and retire vulnerable or expired signed drivers proactively.
In sum, the emergence and adoption of modular, evasive EDR-killing tools represent a major elevation in ransomware capabilities. The tactics used by threat actors are no longer isolated or opportunistic—they are engineered, shared, and optimized across multiple ransomware operations. Understanding these mechanisms and enforcing defensive countermeasures at every security layer is essential to protect against this rising endpoint security threat.