Skip to main content

Government officials will never ask you to transfer money or disclose bank log-in details over a phone call.

Call the 24/7 ScamShield Helpline at 1799 if you are unsure if something is a scam.

Cyber Security Agency of Singapore
  1. Home
  2. Alerts & Advisories
  3. Advisories
  4. Advisory on New Endpoint Detection and Response (EDR) Killer Tool Used by Multiple Ransomware Groups
Advisory

Advisory on New Endpoint Detection and Response (EDR) Killer Tool Used by Multiple Ransomware Groups

16 August 2025

There have been reports of a new malicious tool, known as Endpoint Detection and Response (EDR) killer, being actively used by at least eight ransomware groups to disable EDR solutions.

Background

There have been reports of a new malicious tool, known as Endpoint Detection and Response (EDR) killer, being actively used by at least eight ransomware groups — Blacksuit, RansomHub, Medusa, Qilin, Dragonforce, Crytox, Lynx, and INC - to disable EDR solutions. The EDR killer is believed to be an evolution of the “EDRKillShifter” developed by RansomHub. It enables ransomware operators to bypass traditional endpoint defences and significantly reduces the effectiveness of security tools.

Ransomware groups have been observed to utilise customised builds of the tool, all of which were packed using the subscription-based HeartCrypt packer-as-a-service. In one instance, a threat actor was suspected to have exploited a zero-day Remote Code Execution (RCE) vulnerability in SimpleHelp to gain initial access to the system before deploying MedusaLocker ransomware.

How does the EDR Killer Work?

The EDR killer is built to disable or evade endpoint protection systems, particularly EDR solutions, before ransomware or other malware is deployed. By removing endpoint visibility and disabling security controls, the EDR killer creates a “blind spot” allowing threat actors to operate without alerting the defenders.

Key technical characteristics observed include:

  • BYOVD Technique: Uses a Bring-Your-Own-Vulnerable-Driver approach to load a vulnerable and digitally signed driver that can operate with kernel-level privileges.

  • Driver Name Randomisation: Generates drivers with random five-character names, often signed with stolen or expired code-signing certificates.

  • Security Tool Termination: Specifically searches for and forcibly stops EDR/anti-virus processes and services running on the endpoint.

  • Self-Unpacking Capability: Delivers a packed binary (using HeartCrypt) that decrypts and executes its payload in memory to evade detection.

  • Collaborative Development: Uses a shared and collaborative framework to share usage across multiple ransomware groups. This suggests that the tool is not leaked from a single source and subsequently shared between ransomware groups.

How to Detect EDR Killers?

Organisations should remain vigilant and take precaution against the following suspicious indicators typically associated with EDR killers:

  • Behavioral Monitoring: Implement monitoring that goes beyond traditional signatures to detect suspicious process termination patterns, unusual API calls targeting security services, and attempts to disable logging or telemetry. Advanced EDR killers can enumerate running processes, identify EDR-related services, and terminate or suspend them using API calls.

  • Driver and Memory Analysis: Monitor driver loading activities, implement driver allow lists, and deploy memory protection mechanisms that can detect fileless attacks and memory manipulation attempts as many EDR killers abuse legitimate but vulnerable drivers to gain kernel-level access.

  • Network and System Telemetry: Maintain logging systems that operate independently of endpoint agents, including network-based detection, centralised logging infrastructure, and cloud-based security monitoring that cannot be easily disabled by local EDR killers.

How to Protect Your Organisation?

Organisations are recommended to adopt the following measures to protect against EDR killer-based attacks:

Harden Driver Loading Controls

  • Block or restrict the loading of unsigned and untrusted drivers.

  • Enable Microsoft’s Kernel Mode Code Signing (KMCS) enforcement.

Enable Anti-Tamper Protections and Hardening of EDR Solutions

  • Enable tamper protection features, implement kernel-level protections, and use EDR solutions with self-protection capabilities that resist termination attempts. This will prevent threat actors from disabling the EDR and ensure that the EDR is capable of detecting malicious code that abuses vulnerable drivers before executing sensitive routines such as RegisterExtraHop.

Patch and Update Regularly

  • Apply all OS, driver, and security software updates promptly.

  • Update remote access tools and review access controls.

Hunt for Known Indicators

Restrict Privileged Access

  • Limit administrator privileges and enforce strict access controls on the basis of the principle of least privilege, to limit user and system access to only what is necessary for their roles.

Conclusion

The new EDR killer tool represents an advancement in the Tactics, Techniques and Procedures used by ransomware operators, allowing them to evade one of the most critical security layers. Its widespread use across multiple ransomware groups, coupled with advanced packing and driver exploitation techniques, underscores the growing sophistication of cybercrime. All organisations are urged to proactively strengthen their endpoint security, ensure rapid detection of suspicious activity, and remediate incidents promptly.

More information is available here:

https://www.bleepingcomputer.com/news/security/new-edr-killer-tool-used-by-eight-different-ransomware-groups/

https://news.sophos.com/en-us/2025/08/06/shared-secret-edr-killer-in-the-kill-chain/

Back to top