Hackers Found Using Legitimate Security Tools During Their Attacks

Ransomware gangs have improved their avoidance of detection through “EDR killers,” tools designed to disable security systems early in their attacks.

The Register reports that Cisco Talos researchers observed ransomware groups successfully deactivating security protections during almost half of the examined cases in 2024. Through this method hackers allow hackers to stay hidden for longer while they carry out data theft, and distribute ransomware more effectively.

According to Kendall McKay, strategic lead at Talos, attackers implement multiple EDR killers throughout each operation, as reported by The Register. Cybercriminals employ

EDRSilencer and EDRSandblast and EDRKillShifter and Terminator tools to deactivate security defenses.

The Register reports that some ransomware programs, like EDRKillShifter, take advantage of Windows driver vulnerabilities to shut down security applications.

The Register explains that the malware first emerged with the RansomHub gang in August 2024, and has since been used by other ransomware groups, including Medusa, BianLian, and Play.

“The goal is typically the same: kill EDR protections, allow the criminals to remain undetected for longer in the compromised networks, and then help them to steal sensitive data and deploy ransomware before being caught and kicked out,” McKay said, as reported by The Register.

This attack makes recovery of affected systems more complicated. As a result, organizations sometimes need to wipe and rebuild their networks entirely.

The Register says that not all EDR killers are malware. Research conducted by Talos showed that ransomware gangs often carry out attacks by using legitimate tools.

One example is HRSword, a commercial product developed by China-based Huorong Network Technology. Designed to monitor system activity, hackers have repurposed it to disable security software. “It’s a legitimate commercial tool, but now threat actors are co-opting it for their own purposes,” McKay said, as reported by The Register.

The attackers exploit security tools which were not properly set up. Security products function without customization in numerous organizations which creates security risks for their systems, says The Register.. Some organizations set their endpoint detection and response tools to “audit-only” mode, meaning threats are detected but not blocked.

“This was perhaps the most concerning for us, because it’s such a low-hanging fruit and something that can easily be prevented by organizations,” McKay pointed out as reported by The Register.