Skip to main content
close search
site logo
Dive Brief

Ransomware gangs increasingly brandish EDR bypass tools

Researchers found “EDRKillShifter” in use by multiple rival ransomware gangs.

Published March 27, 2025
By
Contributing Reporter
Creative image depicting a ransomware attack.
bin kontan / Getty Images via Getty Images

Dive Brief

  • Ransomware actors are increasingly abusing vulnerable drivers to craft tools known as "EDR killers," which can disrupt and even delete extended detection and response products in enterprise networks, according to an ESET report published Wednesday.
  • Threat actors abuse vulnerable drivers because they have kernel access to operating systems, which enables attackers to kill processes for security products like EDR before they can detect malicious activity.
  • ESET researchers analyzed a custom tool called "EDRKillShifter," which was developed and maintained by the notorious RansomHub ransomware gang and is now available on the dark web. The researchers observed an increase in the use of EDRKillShifter among other ransomware-as-a-service gangs such as Play, Medusa and BianLian.

Dive Insight: 

EDR killers have become increasingly popular and effective tools for ransomware-as-a-service affiliates, especially EDRKillShifter. "However, it is not the only EDR killer out there; in fact, ESET researchers have observed an increase in the variety of EDR killers used by ransomware affiliates," ESET malware researchers Jakub Souček and Jan Holman wrote in the report.

Because EDR platforms can effectively identify and stop encryptors in ransomware payloads, affiliates rely on these tools to bypass detection, which poses challenges for both security vendors and enterprise security teams. Souček and Holman said ESET flags vulnerable drivers abused by EDR killers as potentially unsafe programs, which can prevent them from loading, and recommended that organizations follow suit.

The researchers noted that there are more than 1,700 vulnerable drivers in a database maintained by the Living Off The Land Drivers project. However, Souček and Holman said just a handful of these drivers are used for EDR killers, and the number that are abused is relatively fixed.

But identifying and stopping vulnerable drivers is still a challenge. According to ESET's report, EDR killers often use obfuscated code to avoid early detection. Additionally, the researchers noted that RansomHub's EDRKillShifter has shellcode protected by a 64-character password.

"Without the password, security researchers can neither retrieve the list of targeted process names nor the abused vulnerable driver," they wrote in the report.

As a result of EDRKillShifter's effectiveness, a growing number of affiliates with rival ransomware gangs have deployed the tool in attacks since it was offered as a service on the dark web last year. In fact, ESET researchers said they saw a "steep increase" in activity following the release.

Filed Under: Cyberattacks, Threats

Editors' picks

Company Announcements

View all | Post a press release
Operant Networks Launches Embedded Zero Trust Security Software for PLCs
From Operant Networks
March 19, 2025
Lafayette Federal Credit Union Data Breach Investigation
From Migliaccio & Rathod LLP
March 24, 2025
Fathom5’s ARIA Continues Revolutionizing Cyber-Resilient Machinery Control Systems
From Fathom5
March 19, 2025
Monro Data Breach Investigation
From Migliaccio & Rathod LLP
March 26, 2025
Editors' picks
Latest in Cyberattacks
Industry Dive is an Informa TechTarget business.
© 2025 TechTarget, Inc. or its subsidiaries. All rights reserved. | View our other publications | Privacy policy | Terms of use | Take down policy.
Cookie Preferences / Do Not Sell
This website is owned and operated by Informa TechTarget, part of a global network that informs, influences and connects the world's technology buyers and sellers. All copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. TechTarget, Inc.'s registered office is 275 Grove St. Newton, MA 02466.