Sign up to save your podcasts
Or
Share EDR Killer - Ransomware’s First Strike
Share to email
Share to Facebook
Share to X
Share to email
Share to Facebook
Share to X
Or
EDR Killer - Ransomware’s First Strike
"Send me a quick text"
This episode examines a stealthy pre-ransomware technique where attackers use a custom-built EDR killer paired with a malicious, kernel-level driver to disable endpoint protections. The driver is signed with stolen or revoked certificates, giving it full control over the operating system. Once loaded, it terminates processes from leading security vendors before ransomware deployment. The same method has been observed across multiple ransomware families, including RansomHub, MedusaLocker, INC, Qilin, and Dragonforce, often wrapped with the HeartCrypt packer-as-a-service.
Defensive Recommendations
- Block unsigned or revoked driver loading: Use modern Windows features like HVCI (Hypervisor-Protected Code Integrity) or Memory Integrity to prevent untrusted drivers from loading into kernel space.
- Monitor driver installation behavior: Alert on creation of driver files with unusual names (e.g., five random characters ending in .sys) or installation of drivers from uncommon vendors.
- Enable Certificate Revocation Checking: Ensure that Windows is actively verifying certificate revocation status before allowing drivers to load.
- Behavioral detection over signature-based rules: Focus on detecting the sequence — a signed driver load followed by mass security process termination — rather than static IOCs.
- Alert on attempts to stop key processes: Monitor for kill attempts against critical EDR and AV services such as MsMpEng.exe, SophosHealth.exe, SAVService.exe, SophosUI.exe, etc.
- Apply Anti-Tampering policies: Ensure endpoint protection solutions have tamper protection fully enabled to resist unauthorized shutdown.
Artifacts, Files, and Configurations
- Driver Files:
- Example name: mraml.sys
- SHA-1: 21a9ca6028992828c9c360d752cb033603a2fd93
- Known to be signed with revoked certificates from vendors like “Changsha Hengxiang Information Technology Co., Ltd.” or “Fuzhou Dingxin Trade Co., Ltd.”
- Main Payload:
- Example filename: uA8s.exe
- SHA-1: 2bc75023f6a4c50b21eb54d1394a7b8417608728
- Often injected into legitimate software like Clipboard Compare from Beyond Compare
- Protected using HeartCrypt packer-as-a-service
- Observed Process Termination Targets:
- MsMpEng.exe, SophosHealth.exe, SAVService.exe, sophosui.exe
- Other security vendors targeted include: Bitdefender, Cylance, F-Secure, Fortinet, HitManPro, Kaspersky, McAfee, SentinelOne, Symantec, Trend Micro, Webroot
- Example Paths & Behavior:
- Malicious driver path: C:\ProgramData\noedt.sys
- Driver loads immediately before ransomware execution
- Process hollowing and shellcode injection techniques observed (e.g., HollowProcessGuard, DynamicShellcode)
Support the show
Thanks for spending a few minutes on the CyberBrief Project.
If you want to dive deeper or catch up on past episodes, head over to cyberbriefproject.buzzsprout.com.
You can also find the podcast on YouTube at youtube.com/@CyberBriefProject — I’d love to see you there.
And if you find these episodes valuable and want to support the project, you can do that here: buzzsprout.com/support
Your support means a lot.
See you in the next one, and thank you for listening.
View all episodes
By Meni Tasa"Send me a quick text"
This episode examines a stealthy pre-ransomware technique where attackers use a custom-built EDR killer paired with a malicious, kernel-level driver to disable endpoint protections. The driver is signed with stolen or revoked certificates, giving it full control over the operating system. Once loaded, it terminates processes from leading security vendors before ransomware deployment. The same method has been observed across multiple ransomware families, including RansomHub, MedusaLocker, INC, Qilin, and Dragonforce, often wrapped with the HeartCrypt packer-as-a-service.
Defensive Recommendations
- Block unsigned or revoked driver loading: Use modern Windows features like HVCI (Hypervisor-Protected Code Integrity) or Memory Integrity to prevent untrusted drivers from loading into kernel space.
- Monitor driver installation behavior: Alert on creation of driver files with unusual names (e.g., five random characters ending in .sys) or installation of drivers from uncommon vendors.
- Enable Certificate Revocation Checking: Ensure that Windows is actively verifying certificate revocation status before allowing drivers to load.
- Behavioral detection over signature-based rules: Focus on detecting the sequence — a signed driver load followed by mass security process termination — rather than static IOCs.
- Alert on attempts to stop key processes: Monitor for kill attempts against critical EDR and AV services such as MsMpEng.exe, SophosHealth.exe, SAVService.exe, SophosUI.exe, etc.
- Apply Anti-Tampering policies: Ensure endpoint protection solutions have tamper protection fully enabled to resist unauthorized shutdown.
Artifacts, Files, and Configurations
- Driver Files:
- Example name: mraml.sys
- SHA-1: 21a9ca6028992828c9c360d752cb033603a2fd93
- Known to be signed with revoked certificates from vendors like “Changsha Hengxiang Information Technology Co., Ltd.” or “Fuzhou Dingxin Trade Co., Ltd.”
- Main Payload:
- Example filename: uA8s.exe
- SHA-1: 2bc75023f6a4c50b21eb54d1394a7b8417608728
- Often injected into legitimate software like Clipboard Compare from Beyond Compare
- Protected using HeartCrypt packer-as-a-service
- Observed Process Termination Targets:
- MsMpEng.exe, SophosHealth.exe, SAVService.exe, sophosui.exe
- Other security vendors targeted include: Bitdefender, Cylance, F-Secure, Fortinet, HitManPro, Kaspersky, McAfee, SentinelOne, Symantec, Trend Micro, Webroot
- Example Paths & Behavior:
- Malicious driver path: C:\ProgramData\noedt.sys
- Driver loads immediately before ransomware execution
- Process hollowing and shellcode injection techniques observed (e.g., HollowProcessGuard, DynamicShellcode)
Support the show
Thanks for spending a few minutes on the CyberBrief Project.
If you want to dive deeper or catch up on past episodes, head over to cyberbriefproject.buzzsprout.com.
You can also find the podcast on YouTube at youtube.com/@CyberBriefProject — I’d love to see you there.
And if you find these episodes valuable and want to support the project, you can do that here: buzzsprout.com/support
Your support means a lot.
See you in the next one, and thank you for listening.