Shared secret: EDR killer in the kill chain

SUMMARY :

This intelligence report analyzes a sophisticated tool designed to disable endpoint security solutions, particularly EDR systems, on infected systems. The tool, known as AVKiller, has been observed in multiple ransomware attacks since 2022. It is heavily protected, targets various security vendors, and uses a driver with a compromised certificate to terminate processes and services. The report details the tool's characteristics, its connection to ransomware attacks, and provides examples of its use in specific ransomware families. Notably, the report highlights evidence of tool sharing and technical knowledge transfer among competing ransomware groups, suggesting a more complex ecosystem than previously thought.

OPENCTI LABELS :

ransomware,ransomhub,edr,blacksuit,qilin,compromise,dragonforce,medusalocker,lynx,driver,heartcrypt,avkiller,inc,crytox,threat-sharing


Open in NetmanageIT OpenCTI Public Instance with below link!


Use public read only username and password on login page.

NOTE : Use Public READ only user credentials on login page banner.


Shared secret: EDR killer in the kill chain