EDRKillShifter is getting a dangerous upgradeThe new malware can disable AV and EDR from reputable vendorsSophos, Bitdefender, and Kaspersky among the tools being targetedCybercriminals appear to have improved their antivirus-killing capabilities, as recent research suggest a new tool being shared within the underground community.In a new report, security researchers from Sophos said multiple ransomware groups are successfully disabling endpoint detection and response (EDR) systems before deploying the encryptor.Originally, the group known as RansomHub developed a tool called EDRKillShifter, which Sophos says is now made obsolete thanks to this new and improved variant. The new tool can disable security software from multiple high-end vendors such as Sophos, Bitdefender, and Kaspersky.Shifting strategiesThe malware is often packed using a service called HeartCrypt, which obfuscates the code to evade detection.Sophos found the attackers are using all sorts of obfuscation and anti-analysis techniques to protect their tools from security defenders, and in some cases, they’re even using signed drivers (either stolen or compromised).In one case, the malicious code was embedded inside a legitimate utility, Beyond Compare’s Clipboard Compare tool, the researchers explained.Sophos also said that multiple ransomware groups are using this new EDR-killing tool, suggesting a high level of collaboration between players.EDRKillShifter was first spotted in mid-2024, after a failed attempt to disable an antivirus and deploy ransomware.Sophos then uncovered that the malware dropped a legitimate, but vulnerable driver.Now, it seems there is a new method - taking an already legitimate executable and modifying it locally by inserting malicious code and payload resources (as was the case with Beyond Compare’s tool). This is often done after the attacker has access to a victim’s machine, or when creating a malicious package that pretends to be legitimate.To defend against this threat, Sophos suggests users check whether their endpoint protection security products implement, and enable, tamper protection.Furthermore, businesses should practice “strong hygiene” for Windows security roles, since the attack is only possible if the attacker escalates privileges they control, or if they can obtain admin rights.Finally, businesses should keep their systems updated, as Microsoft recently started de-certifying old signed drivers.You might also likeCybercriminals launch new malware that can completely wipe out your antivirusTake a look at our guide to the best authenticator appWe've rounded up the best password managers