Ransomware Gangs Are Silently Killing Your Security Tools – The Rise of EDR Killers & PowerShell Attacks

 

🧠 Introduction (Human-Friendly)

Cybercriminals are evolving fast. Instead of directly attacking systems, modern ransomware gangs are now disabling your security tools first — and then launching the real attack.

A dangerous trend has emerged where attackers trick users into running PowerShell as Administrator and pasting malicious code. At the same time, ransomware gangs are heavily using EDR Killers — tools designed to shut down security solutions before encryption begins.

πŸ“Œ Attack Summary (Simple Explanation)

  • Attackers trick users into opening PowerShell with admin rights
  • Victims are socially engineered to paste malicious scripts
  • Scripts silently:
    • Disable antivirus/EDR tools
    • Download payloads
    • Establish persistence
  • Ransomware is deployed after security defenses are removed

πŸ‘‰ Meanwhile, ransomware gangs are also using EDR Killers:

  • Tools that terminate or bypass security software
  • Often use vulnerable drivers (BYOVD technique)
  • Allow attackers to operate undetected,

πŸ” Key Highlights

  • Ransomware groups now treat EDR bypass as a standard step
  • Over 90+ EDR killer tools are being used in attacks
  • Attackers prefer disabling security instead of evading it
  • Even legitimate tools (anti-rootkits) are abused
  • PowerShell remains a top attack vector

 

⚙️ How the Attack Works (Step-by-Step)

1. Initial Access

  • Phishing / fake tutorials / social engineering

  • Victim is told:

    “Run PowerShell as Administrator and paste this command”

2. Execution (PowerShell Abuse)

Malicious PowerShell script:

  • Downloads payload from remote server
  • Executes in memory (fileless attack)
  • Avoids detection

3. Defense Evasion (EDR Killers)

Attackers:

  • Use tools like:
    • EDRKillShifter
    • EDRSilencer
  • Kill or disable:
    • Antivirus
    • EDR/XDR agents
      πŸ‘‰ This ensures ransomware runs undetected

4. Persistence & Lateral Movement

  • Credential dumping
  • Remote command execution
  • Network spread

5. Ransomware Deployment

  • Files encrypted
  • Data exfiltrated
  • Ransom note delivered

🧨 Hacker Groups Involved

Based on research and reports:

  • RansomHub (creator of EDRKillShifter)
  • Medusa
  • BianLian
  • Play ransomware group
  • Qilin / Akira (affiliates using EDR tools)
  • Emerging groups:
    • Warlock
    • Embargo
    • DeadLock

πŸ‘‰ Many operate under Ransomware-as-a-Service (RaaS) models

πŸ§ͺ Indicators of Compromise (IOCs)

πŸ–₯️ Host-Based IOCs

  • Suspicious PowerShell execution:

    powershell.exe -ExecutionPolicy Bypass -NoProfile
  • Use of admin privileges unexpectedly
  • Unknown driver loading (BYOVD attack)
  • Disabled security services

🌐 Network IOCs

  • Outbound connections to unknown IPs
  • Communication with C2 servers
  • Suspicious DNS queries

πŸ“‚ File / Behavior IOCs

  • Execution of:
    • taskkill commands
    • sc stop (service stop)
  • Dropped tools:
    • EDRKillShifter
    • GMER / PC Hunter (abused tools)
  • Rapid file encryption activity

πŸ”Ž Technical Analysis (Expert View)

This attack shows a major shift in ransomware strategy:

πŸ‘‰ Earlier:

  • Malware tried to evade detection

πŸ‘‰ Now:

  • Attackers remove detection completely

This makes:

  • EDR useless if disabled early
  • Detection extremely difficult
  • Incident response slower

Also:

  • Use of legitimate tools increases stealth
  • Driver abuse (BYOVD) gives kernel-level access

 

πŸ›‘️ How to Protect Your Organization

✅ Prevention

  • Disable PowerShell for non-admin users
  • Enable PowerShell logging
  • Use application control policies
  • Block vulnerable drivers

✅ Detection

  • Monitor:
    • PowerShell execution
    • Service stop commands
    • Driver installations
  • Use behavioral detection (XDR)

✅ Response

  • Immediately isolate infected systems
  • Rebuild compromised machines
  • Rotate credentials
  • Check lateral movement

🧾 Conclusion

Ransomware attacks are no longer just about encryption — they are about control.

Attackers now:

  • Trick users
  • Disable defenses
  • Then strike

The rise of EDR killers + PowerShell abuse proves one thing:

πŸ‘‰ If your security can be turned off, it will be.

Organizations must shift to:

  • Layered security
  • Behavior-based detection
  • Zero trust mindset

Comments

Post a Comment

Popular posts from this blog

OSINT Tool in Termux

Image
The Instagram OSINT Tool gets a range of information from an Instagram account that you normally wouldn't be able to get from just looking at their profile The information includes: [ profile ] : user id, followers / following, number of uploads, profile img URL, business enum, external URL, joined Recently, etc [ tags & mentions ] : most used hashtags and mentioned accounts [ email ] : if any email is used any where it'll be displayed [ posts ] : accessability caption, location, timestamp, caption, picture url, etc ( yet not working correctly with posts instagram marks as 'sensitive cotent' ) How To Install apt update && upgrade -y Pkg install git pkg install python3 git clone https://github.com/th3unkn0n/osi.ig.git && cd osi.ig python3 -m pip install -r requirements.txt Usage python3 main.py -u username
Read more

Colt Telecom Hit by WarLock Ransomware: SharePoint Zero Day Used for Mass Data Theft

Image
  What Happened On August 12, 2025 , Colt Technology Services—a UK-based telecom giant—experienced a cyberattack that disrupted several internal support services, impacting systems like Colt Online, porting, and Voice API platforms, while core network services remained unaffected. Who Claimed Responsibility A threat actor using the handle "cnkjasdfgd," claiming to represent the WarLock ransomware group , offered 1 million stolen documents for US$200,000 , providing sample files to prove their legitimacy. Made Possible By The attackers exploited a critical zero-day vulnerability in on-premises Microsoft SharePoint (CVE‑2025‑53770), which was publicly patched on July 21, 2025. Technical Breakdown (“ToolShell” Exploit Chain) Attackers used a sophisticated exploit chain now dubbed ToolShell , involving multiple steps: 1. Initial Access – Bypassing Authentication A crafted HTTP POST to the /_layouts/15/ToolPane.aspx endpoint with a spoofed Referer header (/_layo...
Read more

Hackers use DNS tunneling for network scanning, tracking victims

Image
  Threat actors are using Domain Name System (DNS) tunneling to track when their targets open phishing emails and click on malicious links, and to scan networks for potential vulnerabilities. DNS tunneling is the encoding of data or commands that are sent and retrieved via DNS queries, essentially turning DNS, a fundamental network communication component, into a covert communications channel. The threat actors encode the data in various ways, such as Base16 or Base64 or custom textual encoding algorithms, so they can be returned when querying DNS records, such as TXT, MX, CNAME, and Address records. Hackers commonly use DNS tunneling to bypass network firewalls and filters, employing the technique for command and control (C2) and Virtual Private Network (VPN) operations. There are also legitimate DNS tunneling applications, such as for bypassing censorship. Palo Alto Networks' Unit 42 security research team recently discovered additional use of DNS tunneling in malicious campaigns...
Read more