Researchers recently identified multiple threat groups using updated versions of the EDRKillShifter tool. Developed by the RansomHub ransomware group, EDRKillShifter emerged in 2024 and employs a technique known as Bring Your Own Vulnerable Driver (BYOVD), in which a legitimate driver with known vulnerabilities is installed and exploited to gain kernel-level privileges. With EDRKillShifter, these privileges were ultimately used to disable endpoint detection and response (EDR) software protection on a target organization’s systems. Now, separate ransomware groups are leveraging individual builds of the original EDRKillShifter tool.
What’s Notable and Unique
- At least eight distinct ransomware groups are using newer EDRKillShifter builds, including BlackSuit, RansomHub, Medusa, Qilin, DragonForce, Crytox, Lynx, and INC Ransom. However, RansomHub no longer appears to be operating, and law enforcement recently announced the takedown of BlackSuit’s infrastructure.
- While these new builds of the original EDRKillShifter appear to be unique variations, they all use HeartCrypt, a subscription-based packer-as-a-service.
- Like EDRKillShifter, these new versions can target numerous EDR platforms, including Bitdefender, Cylance, Fortinet, McAfee, Microsoft, SentinelOne, and Sophos.
Analyst Comments
Since at least 2024, threat actors have increasingly used tools designed to evade or disable EDR products, and the evolution of EDRKillShifter is yet another example of this. The number of separate threat groups using variations of the original EDRKillShifter also illustrates how complex and interconnected the cybercriminal ecosystem can be. With the abrupt shuttering of RansomHub’s entire infrastructure in early April, many ex-RansomHub affiliates have reportedly moved over to ransomware operations like Qilin and DragonForce, so those groups using variations of RansomHub’s EDRKillShift tool isn’t unexpected. The other groups identified could also indicate where other ex-RansomHub affiliates moved to, and some of those groups, such as INC Ransom and Lynx, are already known to have similarities in their code, tools, and infrastructure.
As EDR solutions become more effective in detecting and preventing cyberattacks, threat actors will continue to adapt EDR evasion tools. Implementing behavioral protection rules and blocking the download of system-level drivers within EDRs can help mitigate these threats. It is also crucial that organizations keep their systems updated and maintain adequate separation between user and admin privileges to limit threat actors’ ability to install vulnerable drivers.
Sources
Related Resources
![]()
Client Story: The Importance of External Penetration Testing
Brandon shares how Arete’s cybersecurity penetration testing helped protect his global team from threats, giving him peace of mind and expert support.
Read more![]()
Akira Targeting SonicWall Devices (Again)
A recent wave of Akira ransomware attacks has targeted SonicWall firewall devices, exploiting a previously identified flaw.
Read more![]()
Ransomware Trends & Data Insights: July 2025
Explore the July 2025 cyber threat landscape, where Akira led ransomware activity, Sinobi emerged, and SharePoint zero-days were exploited by multiple threat groups.
Read more
