RansomHub launches brand new EDR-killing BYOVD binary

The RansomHub ransomware gang has introduced a new utility for its attacks that is designed to terminate Endpoint Detection and Response (EDR) processes before they can detect malicious activity.

The binary, aptly named “EDRKillShifter,” is designed to load a legitimate but unpatched vulnerable driver, which can then be exploited for privilege escalation using proof-of-concept exploits available on GitHub, according to the Sophos X-Ops team.

“The execution process of this loader consists of three steps,” Sophos researchers explained in an analysis this week. “The attacker must run EDRKillShifter with a command line that includes a password string. When run with the correct password, the executable decrypts and executes an embedded resource called BIN in memory.”

They added: “The BIN code unpacks and executes the final payload. This final payload, written in the Go programming language, drops one of several different vulnerable legitimate drivers and exploits it to gain sufficient privileges to remove the protections of an EDR tool.”

The findings come at a time when malware aimed at disabling EDR systems is on the rise. For example, AuKill, an EDR killer The Sophos X-Ops tool was sold commercially on the dark web last year. has seen an increase in usage last year. And the Terminatorthe one Bring your own driver (BYOVD)) mechanism, similar to EDRKillShifter, is gaining popularity as it provides an “all-in-one” EDR bypass, overriding EDR engines from 24 different vendors.

Protection against BYOVD attacks

The BYOVD attack method is not new, and since last year Microsoft has started de-certifying signed drivers known to have been abused in the past. But that doesn't completely solve the problem.

“Installing an older, buggy version of a driver is a well-known, long-used hacking technique,” wrote Roger Grimes, data-driven defense evangelist at KnowBe4, in an emailed statement. “I've used it myself with great success in the 20 years I've been doing penetration testing. And it's very difficult to defend against.”

He explained that it's one thing to keep track of older versions of software and then prevent them from being installed. However, the situation is complicated by the fact that many administrator/user groups intentionally want to keep older software installed due to compatibility and usability issues. Therefore, even an app installer with this kind of tracking functionality would have a hard time keeping up with the changing landscape.

“Keeping track of which software versions and drivers are old and should not be installed would quickly become another problem in tracking the antivirus signature database, as vendors are always behind when it comes to keeping up with the latest developments,” he noted.

With this in mind, Sophos X-Ops recommends that administrators implement strict hygiene measures for Windows security roles to prevent such scenarios.

“This attack is only possible if the attacker elevates the privileges under their control or gains administrative privileges. Separating user and administrative privileges can help prevent attackers from easily loading drivers,” the report said.