EDRKillShifter

EDRKillShifter is an EDR-killing utility developed and maintained by the RansomHub ransomware-as-a-service operation and offered to affiliates through its affiliate panel. It was first introduced to affiliates on May 8, 2024, and was observed deployed by RansomHub in 2024, including August 2024. The tool is widely described as a bring-your-own-vulnerable-driver (BYOVD) loader used to disable endpoint protection before ransomware deployment, and later reporting states updated or repurposed versions were used by other ransomware groups including Medusa, BianLian, Play, BlackSuit, Qilin, DragonForce, Crytox, Lynx, and INC.

Sophos described EDRKillShifter as a loader executable that requires a unique 64-character command-line password to run. With the correct password, it decrypts an embedded resource named BIN, writes the encrypted BIN data to Config.ini in the execution directory, deletes that file during execution, and uses the SHA-256 hash of the supplied password as the decryption key for later stages. The second stage uses self-modifying code, and the final payload is Go-based and obfuscated, possibly with gobfuscate. The payload embeds a vulnerable driver in its .data section, drops a .sys file with a random filename into \AppData\Local\Temp, creates and starts a Windows service to load the driver, and then enters an endless loop enumerating and terminating processes from a hardcoded target list. One observed variant also accepted an additional "--list" argument to add process names.

Observed driver abuse includes vulnerable drivers identified as RentDrv2 and ThreatFireMonitor. Other reporting on related or evolved builds describes the tool searching for a driver with a hardcoded random five-character name, loading a malicious driver signed with compromised or expired certificates, and using drivers masquerading as legitimate components such as the CrowdStrike Falcon Sensor Driver. Certificates mentioned in reporting on these builds include Changsha Hengxiang Information Technology Co., Ltd. and Fuzhou Dingxin Trade Co., Ltd. A recurring driver filename mraml.sys and service name mraml.exe were also reported in HeartCrypt-packed samples associated with this tooling.

Its purpose is to terminate AV/EDR processes and stop security-related services on Windows systems. Reported targets across samples include products from Sophos, Microsoft Defender, SentinelOne, Symantec, Trend Micro, Bitdefender, Cylance, ESET, F-Secure, Fortinet, HitmanPro, Kaspersky, McAfee, and Webroot. Specific process names mentioned include MsMpEng.exe, SophosHealth.exe, SAVService.exe, and sophosui.exe.

EDRKillShifter has been linked to ransomware intrusion chains in which the EDR killer is executed before the ransomware payload. Reporting ties it to RansomHub intrusions and to broader ransomware activity involving Play, Medusa, BianLian, BlackSuit, Qilin, DragonForce, Crytox, Lynx, and INC. In one failed RansomHub attack analyzed by Sophos, EDRKillShifter was used in an attempt to disable Sophos protections before ransomware execution, but Sophos blocked both the defense-evasion attempt and the subsequent ransomware activity. Sophos detects the tool as Troj/KillAV-KG.

Known sample hashes mentioned in the content include SHA256 451f5aa55eb207e73c5ca53d249b95911d3fad6fe32eee78c58947761336cc60 and d0f9eae1776a98c77a6c6d66a3fd32cee7ee6148a7276bc899c1a1376865d9b0, as well as SHA-1 BF84712C5314DF2AA851B8D4356EA51A9AD50257, 77DAF77D9D2A08CC22981C004689B870F74544B5, 2bc75023f6a4c50b21eb54d1394a7b8417608728, and 21a9ca6028992828c9c360d752cb033603a2fd93. Associated infrastructure mentioned includes 45.32.206[.]169 and 45.32.210[.]151.