EDR-Killers Increasingly Used to Bypass Security in Ransomware Operations

Ransomware groups are increasingly leveraging tools like EDRSilencer, EDRSandblast, EDRKillShifter, and Terminator to disable or tamper with endpoint detection and response (EDR) systems.  

One such tool, EDRKillShifter, was first used by RansomHub in August 2024 to exploit vulnerable Windows drivers and terminate EDR protections. Other gangs, including Medusa, BianLian, and Play, have since adopted this method, The Register reports.

Disabling EDRs helps attackers remain undetected, steal data, and deploy ransomware more effectively. This also complicates system recovery, which often requires wiping and rebuilding entire networks.

Even when ransomware isn't deployed, signs of early compromise often necessitate full system recovery due to the unknown extent of access or damage. Emphasizing early detection and blocking of these EDR killers is becoming critical as these threats gain traction.

Not all EDR killers are malware. Researchers found that attackers have co-opted legitimate tools like HRSword—a Chinese-developed monitoring tool—for malicious purposes. Because HRSword is legitimate software, it can bypass many security defenses.  

In a GlobeImposter ransomware case, attackers used HRSword to disable EDRs, then deployed tools like Netsupport RAT and Smbexec for lateral movement. Similarly, during a Phobos attack, another tool from the same suite was used to sideload malicious DLLs.

Attackers are also modifying defenses or exploiting poorly configured security products, including those left in audit-only mode. Such configurations detect but don't block malicious actions, allowing intrusions to proceed unchallenged.

Takeaway: Let’s be blunt: if ransomware makes it to the headlines, it already beat endpoint protection. That’s not a guess—it’s a fact. Every time you see a big-name company breached and held hostage, what you’re really seeing is a security stack that got outmaneuvered.  

And lately, a big part of that is the rise of EDR-Killers—specialized tools built to blind, bypass, or outright kill endpoint detection and response (EDR) systems.

And these aren’t fringe tactics. Ransomware crews are investing heavily in custom tooling to disable EDRs before they even start exfiltrating data or launching encryption. They’re not “hacking around” security—they’re removing it.

And here’s the kicker: current EPP and EDR/XDR solutions, while solid in many ways, clearly aren't enough. If they were, we wouldn't be seeing massive companies falling victim to ransomware week after week.  

So, let’s stop pretending we’re protected just because we’ve got a shiny endpoint agent deployed. Attackers know these tools inside and out. They're designing malware to evade detection, unhook from kernel monitoring, and blind the system using techniques like universal unhooking and rootkit deployment.

Halcyon.ai eliminates the business impact of ransomware. Modern enterprises rely on Halcyon to prevent ransomware attacks, eradicating cybercriminals’ ability to encrypt systems, steal data, and extort companies – talk to a Halcyon expert today to find out more, and check out our quarterly RaaS and extortion group reference guide, Power Rankings: Ransomware Malicious Quartile.