EDRKillShifter
EDRKillShifter is an EDR-killing utility and BYOVD-based loader first publicly named by Sophos and developed and maintained by the RansomHub ransomware group. It was introduced to RansomHub affiliates in May 2024 and first seen deployed in August 2024. The malware is designed to disable endpoint protection on Windows systems by abusing legitimate but vulnerable kernel drivers, enabling ransomware operators to evade detection before privilege escalation, lateral movement, data theft, and encryption.
Sophos described EDRKillShifter as a loader executable that requires a unique 64-character command-line password. It uses the SHA-256 hash of that password to decrypt an embedded resource named BIN, writes that data to Config.ini in the execution directory and deletes it, then executes the decrypted content in memory. The second stage uses self-modifying code for obfuscation, and the final payload dynamically loads an obfuscated Go-based EDR killer into memory. The payload drops a vulnerable .sys driver into %AppData%\Local\Temp using a random filename, creates and starts a service for the driver, and then continuously enumerates running processes and terminates those matching a hardcoded target list; some variants also accept attacker-supplied additional process names via a --list argument. Sophos analyzed variants referring to RentDrv2 and abusing the deprecated ThreatFireMonitor driver. ESET also reported that EDRKillShifter used at least two different vulnerable drivers and protected key execution logic with a 64-character password.
The malware has been observed targeting security products from multiple vendors, including Sophos, Bitdefender, Cylance, ESET, F-Secure, Fortinet, McAfee, Microsoft, Symantec, and Trend Micro. Reporting also states that related or evolved builds have targeted Microsoft Defender, Kaspersky, SentinelOne, HitmanPro, and Webroot. Sophos detects EDRKillShifter as Troj/KillAV-KG.
EDRKillShifter is strongly associated with RansomHub but has also been repurposed or used by other ransomware groups and affiliates, including Medusa, BianLian, Play, BlackSuit, Qilin, DragonForce, Crytox, Lynx, and INC. ESET linked its use across multiple 2024 intrusions to an affiliate cluster it calls QuadSwitcher, including attacks against manufacturing, automotive, government, legal, and technology organizations in North America and Europe. Water Bakunawa has also been reported using EDRKillShifter to evade detection and disrupt security monitoring. The tool is part of a broader trend of ransomware operators prioritizing defense evasion through kernel-level EDR killers, and later reporting describes newer heavily packed builds or evolutions of EDRKillShifter being used across multiple ransomware crews.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
1 CVE Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
BadRentdrv2 ... rentdrv2ドライバの脆弱性(CVE-2023-44976)を悪用するBYOVD PoC。x32/x64両対応で、EDR/AVプロセスをPID指定で終了可能。RansomHub等のEDRKillShifterでも悪用が確認されている
Groups observed using it
3 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
RansomHub’s EDR killer, named EDRKillShifter by Sophos, is a custom tool developed and maintained by the operator.
Water Bakunawa uses EDRKillShifter to evade detection and disrupt security monitoring processes.
CardSpaceKiller relies on call-by-hash resolution and string obfuscation, while EDRKillShifter, developed by the now-defunct RansomHub group, password-protects key sections of its code.
Techniques & procedures
16 distinct techniques documented for this family, organized by ATT&CK tactic.
Resource Development
2 techniquesT1583 Acquire Infrastructure QuadSwitcher acquired infrastructure to host their tooling.
T1587.001 Develop Capabilities: Malware The RansomHub, Play, Medusa, and BianLian gangs develop their own encryptors and related tooling.
Execution
1 technique"execute EDRKillShifter with a command line that includes a password string"; "can also receive an additional command line argument '--list'"
Persistence
2 techniquesThe attackers can further abuse this kernel-level access to move laterally within the network, deploy ransomware, steal data, backdoor compromised systems, and perform other nefarious actions without being detected.
Privilege Escalation
2 techniquesIt exploits legitimate but vulnerable drivers on Windows machines to terminate EDR products... the signed, vulnerable driver is loaded into the kernel and then exploited to gain kernel-level access. | If it finds the malicious driver, the malware initiates a 'Bring Your Own Vulnerable Driver (BYOVD)' attack, in which the signed, vulnerable driver is loaded into the kernel and then exploited to gain kernel-level access.
Stealth
4 techniquesCommercial tools are packed using products like VX Crypt and HeartCrypt, which add structure-level obfuscation, anti-virtual machine behavior, and continuous repacking to defeat static detection. Code protectors such as VMProtect and Themida are regularly used as well.
"The original filename is Loader.exe and its product name is ARK-Game... tries to masquerade the final payload as a popular computer game"
RansomHub’s builder adds an additional layer of protection to its encryptors, a 64-character password, without which the encryptor does not work.
"decrypts an embedded resource named BIN and executes it in memory"; "load the final payload dynamically into memory and execute it."
Discovery
1 techniqueT1057 Process Discovery EDRKillShifter looks for specific processes related to security solutions.
Collection
1 technique...ultimately steal and encrypt data before extorting victims into paying a ransom... The attackers can further abuse this kernel-level access to move laterally within the network, deploy ransomware, steal data, backdoor compromised systems...
Command and Control
1 techniqueT1071 Application Layer Protocol In Play intrusions, payloads are retrieved via HTTP.
Impact
1 technique"steal and encrypt data before extorting victims"; "deploy ransomware, steal data, backdoor compromised systems"
Other
2 techniquesIOCs tracked for this family
2 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Recent activity
10 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
EDR killer designed to disable endpoint detection and response tools; noted for password-protecting key code sections.
Custom tool used to disable endpoint detection and response (EDR) on compromised hosts; used by RansomHub affiliates and repurposed in Medusa, BianLian, and Play ransomware attacks.
Kernel-level EDR killer that leverages legitimate but vulnerable Windows drivers (BYOVD-style technique) to terminate/disable EDR products; originally used by RansomHub and later repurposed by other ransomware groups.
Kernel-level EDR-killer tool that abuses legitimate but vulnerable Windows drivers in BYOVD-style attacks to terminate endpoint security products. First seen with RansomHub and later repurposed by other ransomware gangs.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.