"Send me a quick text"This episode examines a stealthy pre-ransomware technique where attackers use a custom-built EDR killer paired with a malicious, kernel-level driver to disable endpoint protections. The driver is signed with stolen or revoked certificates, giving it full control over the operating system. Once loaded, it terminates processes from leading security vendors before ransomware deployment. The same method has been observed across multiple ransomware families, including RansomHub, MedusaLocker, INC, Qilin, and Dragonforce, often wrapped with the HeartCrypt packer-as-a-service.Defensive RecommendationsBlock unsigned or revoked driver loading: Use modern Windows features like HVCI (Hypervisor-Protected Code Integrity) or Memory Integrity to prevent untrusted drivers from loading into kernel space.Monitor driver installation behavior: Alert on creation of driver files with unusual names (e.g., five random characters ending in .sys) or installation of drivers from uncommon vendors.Enable Certificate Revocation Checking: Ensure that Windows is actively verifying certificate revocation status before allowing drivers to load.Behavioral detection over signature-based rules: Focus on detecting the sequence — a signed driver load followed by mass security process termination — rather than static IOCs.Alert on attempts to stop key processes: Monitor for kill attempts against critical EDR and AV services such as MsMpEng.exe, SophosHealth.exe, SAVService.exe, SophosUI.exe, etc.Apply Anti-Tampering policies: Ensure endpoint protection solutions have tamper protection fully enabled to resist unauthorized shutdown.Artifacts, Files, and ConfigurationsDriver Files:Example name: mraml.sysSHA-1: 21a9ca6028992828c9c360d752cb033603a2fd93Known to be signed with revoked certificates from vendors like “Changsha Hengxiang Information Technology Co., Ltd.” or “Fuzhou Dingxin Trade Co., Ltd.”Main Payload:Example filename: uA8s.exeSHA-1: 2bc75023f6a4c50b21eb54d1394a7b8417608728Often injected into legitimate software like Clipboard Compare from Beyond CompareProtected using HeartCrypt packer-as-a-serviceObserved Process Termination Targets:MsMpEng.exe, SophosHealth.exe, SAVService.exe, sophosui.exeOther security vendors targeted include: Bitdefender, Cylance, F-Secure, Fortinet, HitManPro, Kaspersky, McAfee, SentinelOne, Symantec, Trend Micro, WebrootExample Paths & Behavior:Malicious driver path: C:\ProgramData\noedt.sysDriver loads immediately before ransomware executionProcess hollowing and shellcode injection techniques observed (e.g., HollowProcessGuard, DynamicShellcode)Thanks for spending a few minutes on the CyberBrief Project. If you want to dive deeper or catch up on past episodes, head over to cyberbriefproject.buzzsprout.com. You can also find the podcast on YouTube at youtube.com/@CyberBriefProject — I’d love to see you there. And if you find these episodes valuable and want to support the project, you can do that here: buzzsprout.com/support Your support means a lot. See you in the next one, and thank you for listening.

Ver todos los episodios