One of the most common cybersecurity tips for any business is to keep your antivirus protection updated. However, if you are the target of a new and dangerous form of malware, that might not be enough. Sophos security researchers recently revealed that cybercriminals are using a new malware capable of turning off antivirus protection called EDRKillShifter.
What You Need to Know About EDRKillShifter
This latest cyber threat appears to be from the RansomHub ransomware group, but there is evidence that other cybercrime organizations are also exploiting this malware, which can disable antivirus. This means it may be for sale on the dark web and in the hands of many bad actors.
The purpose of EDRKillShifter is to turn off endpoint detection and response (EDR) on your device. It does this by installing legitimate but vulnerable drivers on the machine and exploiting those vulnerabilities to wreak havoc. Depending on the criminal's wishes, the malware can drop a variety of payloads, including ransomware encryptors, and gain access to sensitive networks via privilege escalation and defense evasion.
Protecting Your Business From This Threat
Endpoint protection and antivirus software remain critical in the battle against hackers, data breaches, and other cybersecurity risks.
Keep Your System Updated
Failing to install hardware and software updates creates loopholes for criminals to exploit. Installing updates closes these gaps. For example, Microsoft is now decertifying signed drivers with a known abuse history; installing updates provides more protection against driver exploitation.
Separate Administrator and User Privileges
One critical element of this new malware capable of turning off antivirus software is that it requires administrator permissions. If the hacker can gain administrator control or increase their permissions, they can install the infected drivers. Maintaining strict permissions as to who can access critical areas of the network makes it harder for attackers to install drivers.
Enable Tamper Protection
Securing your endpoints is another key element of avoiding a ransomware attack. Enable tamper protection on the endpoint protection and response (EDR) tools to block hackers from being able to access your network and make changes.
Continue Practicing Basic Cyber Hygiene
Protecting your company against ransomware like EDRKillShifter is everyone’s responsibility.
More specifically, successfully blocking ransomware attempts includes tactics like:
- Implementing encryption for endpoints, email, and discs
- Developing clear policies regarding device usage, including what devices can access the network and the security requirements for any connected device
- Proactively implementing web security protocols to filter dangerous websites
- Educating users about the latest phishing and social engineering developments and how to avoid falling into a trap
Ransomware continues to be the most pressing cybersecurity threat for businesses worldwide, and this new malware capable of turning off antivirus is just one of a slew of tools criminals can deploy to damage your business. Stay alert to emerging threats and use the tools to avoid becoming a victim.