.png)
CyberBrief Project
CyberBrief Project is an audio series that breaks down one creative cyber-attack technique in each episode.
Rather than covering routine threats, each episode focuses on clever methods that repurpose tools in unexpected ways.
Voiced by AI instructors, the series is designed to help listeners understand how attackers think, what they target, and how to spot threats with greater clarity.
This is valuable information for anyone in cybersecurity, especially defenders, and for anyone curious about how real-world cyberattacks start and unfold.
CyberBrief Project
EDR Killer - Ransomware’s First Strike
Episode Description – Technical Write-Up:
Summary:
This episode examines a stealthy pre-ransomware technique where attackers use a custom-built EDR killer paired with a malicious, kernel-level driver to disable endpoint protections. The driver is signed with stolen or revoked certificates, giving it full control over the operating system. Once loaded, it terminates processes from leading security vendors before ransomware deployment. The same method has been observed across multiple ransomware families, including RansomHub, MedusaLocker, INC, Qilin, and Dragonforce, often wrapped with the HeartCrypt packer-as-a-service.
Defensive Recommendations
- Block unsigned or revoked driver loading: Use modern Windows features like HVCI (Hypervisor-Protected Code Integrity) or Memory Integrity to prevent untrusted drivers from loading into kernel space.
- Monitor driver installation behavior: Alert on creation of driver files with unusual names (e.g., five random characters ending in .sys) or installation of drivers from uncommon vendors.
- Enable Certificate Revocation Checking: Ensure that Windows is actively verifying certificate revocation status before allowing drivers to load.
- Behavioral detection over signature-based rules: Focus on detecting the sequence — a signed driver load followed by mass security process termination — rather than static IOCs.
- Alert on attempts to stop key processes: Monitor for kill attempts against critical EDR and AV services such as MsMpEng.exe, SophosHealth.exe, SAVService.exe, SophosUI.exe, etc.
- Apply Anti-Tampering policies: Ensure endpoint protection solutions have tamper protection fully enabled to resist unauthorized shutdown.
Artifacts, Files, and Configurations
- Driver Files:
- Example name: mraml.sys
- SHA-1: 21a9ca6028992828c9c360d752cb033603a2fd93
- Known to be signed with revoked certificates from vendors like “Changsha Hengxiang Information Technology Co., Ltd.” or “Fuzhou Dingxin Trade Co., Ltd.”
- Main Payload:
- Example filename: uA8s.exe
- SHA-1: 2bc75023f6a4c50b21eb54d1394a7b8417608728
- Often injected into legitimate software like Clipboard Compare from Beyond Compare
- Protected using HeartCrypt packer-as-a-service
- Observed Process Termination Targets:
- MsMpEng.exe, SophosHealth.exe, SAVService.exe, sophosui.exe
- Other security vendors targeted include: Bitdefender, Cylance, F-Secure, Fortinet, HitManPro, Kaspersky, McAfee, SentinelOne, Symantec, Trend Micro, Webroot
- Example Paths & Behavior:
- Malicious driver path: C:\ProgramData\noedt.sys
- Driver loads immediately before ransomware execution
- Process hollowing and shellcode injection techniques observed (e.g., HollowProcessGuard, DynamicShellcode)
Thanks for spending a few minutes on the CyberBrief Project.
If you want to dive deeper or catch up on past episodes, head over to cyberbriefproject.buzzsprout.com.
You can also find the podcast on YouTube at youtube.com/@CyberBriefProject — I’d love to see you there.
And if you find these episodes valuable and want to support the project, you can do that here: buzzsprout.com/support
Your support means a lot.
See you in the next one, and thank you for listening.