Cybersecurity experts have discovered a new malicious tool designed to shut down computer security programs, allowing hackers to attack systems without being detected. The tool, which appears to be an updated version of an older program called EDRKillShifter, is being used by at least eight separate ransomware gangs.
According to researchers at Sophos, the groups using it include RansomHub, Blacksuit, Medusa, Qilin, Dragonforce, Crytox, Lynx, and INC. These criminal gangs use such programs to disable antivirus and Endpoint Detection and Response (EDR) systems software meant to detect and stop cyberattacks. Once these protections are switched off, hackers can install ransomware, steal data, move through the network, and lock down devices.
How the Tool Works
The new tool is heavily disguised to make it difficult for security software to spot. It starts by running a scrambled code that “unlocks” itself while running, then hides inside legitimate applications to avoid suspicion.
Next, it looks for a specific type of computer file called a driver. This driver is usually digitally signed, meaning it appears to be safe software from a trusted company but in this case, the signature is stolen or outdated. If the driver matches a name hidden in the tool’s code, the hackers load it into the computer’s operating system.
This technique is called a “Bring Your Own Vulnerable Driver” (BYOVD) attack. By using a driver with security weaknesses, the hackers gain deep control of the system, including the ability to shut down security tools.
The driver pretends to be a legitimate file, sometimes even mimicking trusted products like the CrowdStrike Falcon Sensor Driver. Once active, it terminates the processes and services of security products from well-known vendors such as Microsoft Defender, Kaspersky, Symantec, Trend Micro, SentinelOne, McAfee, F-Secure, and others.
Shared Development, Not Leaks
Sophos notes that while the tool appears in attacks by many different groups, it is not a case of one stolen copy being passed around. Instead, it seems to be part of a shared development project, with each group using a slightly different version — changing driver names, targeted software, or technical details. All versions use the same “HeartCrypt” method to hide their code, suggesting close cooperation among the groups.
A Common Criminal Practice
This is not the first time such tools have been shared in the ransomware world. In the past, programs like AuKill and AvNeutralizer have been sold or distributed to multiple criminal gangs, allowing them to disable security tools before launching attacks.
The discovery of this new tool is a reminder that ransomware operators are constantly improving their methods and working together to overcome defenses. Security experts stress the need for updated protections and awareness to defend against such coordinated threats.
