A new Endpoint Detection and Response (EDR) disabling tool, believed to be an upgraded version of "EDRKillShifter" created by RansomHub, has been deployed by at least eight ransomware gangs, including Blacksuit, Medusa, Qilin, and Dragonforce.
The malware is designed to shut down security software on compromised systems, allowing attackers to escalate privileges, move laterally, and encrypt data without detection.
It works by using an obfuscated binary that self-decodes at runtime and injects into legitimate applications, searching for a hardcoded, digitally signed driver—often stolen or expired.
Once found, it performs a Bring Your Own Vulnerable Driver (BYOVD) attack to gain kernel-level privileges and disable processes from well-known security vendors such as Microsoft Defender, Sophos, Kaspersky, and SentinelOne.
The malicious driver disguises itself as legitimate software, like CrowdStrike Falcon Sensor, before terminating security services.
Although variants differ in targeted antivirus products and driver names, they all use the HeartCrypt packer, suggesting coordinated development and sharing between different ransomware operators.
Sophos researchers believe the tool is built on a shared framework rather than leaked code, meaning each group uses its own customized version.
Similar EDR-killing utilities, such as AuKill and AvNeutralizer, have also been sold or reused across ransomware groups in recent years.
