Ransomware crews don't care about your endpoint security they killed it

Summary

At least a dozen ransomware gangs have incorporated kernel-level EDR killers into their malware arsenal, allowing them to bypass almost every major endpoint security tool on the market, escalate privileges, and ultimately steal and encrypt data before extorting victims into paying a ransom. One of the most recent examples includes the operators of Crypto24, a new-ish ransomware that has been deployed against nearly two dozen companies in the US, Europe, and Asia since April, according to the miscreants' leak site. The criminals target high-profile companies in financial services, manufacturing, entertainment, and technology, and after gaining initial access to victim organizations, one way they evade detection is by using a customized version of RealBlindingEDR, according to Trend Micro researchers. RealBlindingEDR is an open-source tool designed to disable endpoint detection and response products, and Crypto24's custom version is programmed to disable kernel-level hooks from a hardcoded list of 28 security vendors. These include Sophos, Trend Micro, Kaspersky, Malwarebytes, Bitdefender, Broadcom/Symantec, SentinelOne, Cisco, Fortinet, and Citrix. The tool retrieves the security company's name from driver metadata, compares it to the hardcoded list, and if there's a match, it disables callbacks, rendering the EDR products useless. Specific to Trend Micro, its researchers observed cases where the attackers deployed their customized version of RealBlindingEDR and abused gpscript.exe, which is a legitimate Group Policy utility, to remotely execute the Trend Vision One uninstaller, a legitimate troubleshooting tool. But, they add, the ransomware crew was only able to abuse the uninstaller "after gaining elevated (administrator) privileges through prior compromise of affected systems. The tool itself requires administrative permissions to run and cannot be abused as an initial infection vector." RansomHub's old EDR killer gets a makeover In addition to Crypto24's operato...