Ransomware cyber

Sophos

Aug 7, 2025 1 min read
Sophos

Sophos encountered a sophisticated cyberattack involving the novel 'AVKiller' payload, which disabled endpoint defenses to facilitate ransomware deployment. The attackers used a dropper masquerading as a legitimate utility, injecting malicious code into signed executables. AVKiller terminated security processes, allowing ransomware to encrypt crucial servers. The attack hampered recovery efforts due to the absence of active EDR protection. The tool's modular design and use of compromised certificates highlighted its advanced evasion tactics, underscoring the growing trend of adversaries using specialized tools to neutralize security operations.

Source: https://cybersecuritynews.com/heartcrypt-packed-edr-killer-tools-avkiller/

TPRM report: https://www.rankiteo.com/company/sophos

"id": "sop344080725",
"linkid": "sophos",
"type": "Ransomware",
"date": "8/2025",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"
{'affected_entities': [{'size': 'Large', 'type': 'Enterprise'}],
 'attack_vector': 'Malicious dropper masquerading as legitimate utility, '
                  'injecting code into signed executables',
 'data_breach': {'data_encryption': 'Yes'},
 'date_detected': 'mid-2024',
 'description': "A novel 'EDR killer' payload, referred to as AVKiller, has "
                'been observed disabling endpoint defenses to facilitate the '
                'deployment of ransomware. The tool leverages the HeartCrypt '
                'packer-as-a-service to obscure its functionality and slip '
                'past traditional static signature checks.',
 'impact': {'operational_impact': 'Hindered recovery efforts due to disabled '
                                  'EDR protection',
            'systems_affected': 'Crucial servers'},
 'initial_access_broker': {'entry_point': 'Dropper executable packed by '
                                          'HeartCrypt'},
 'lessons_learned': 'Understanding and intercepting the AVKiller loader’s '
                    'system-call routines and driver-loading behavior are '
                    'critical to thwarting these sophisticated attacks.',
 'motivation': 'Financial gain, disruption',
 'post_incident_analysis': {'root_causes': 'Use of compromised certificates '
                                           'for driver signing, exploitation '
                                           'of unrevoked kernel verification '
                                           'lists'},
 'ransomware': {'data_encryption': 'Yes',
                'ransomware_strain': ['Blacksuit', 'MedusaLocker', 'INC']},
 'recommendations': 'Equip SOC with full access to the latest threat data from '
                    'ANY.RUN TI Lookup to improve incident response.',
 'references': [{'source': 'Sophos'}],
 'threat_actor': 'RansomHub group',
 'title': 'AVKiller EDR Killer Payload Attack',
 'type': 'Malware, Ransomware',
 'vulnerability_exploited': 'Endpoint Detection and Response (EDR) and '
                            'antivirus process termination'}
Published by
Jeremy C
Jeremy C
You might also like
Great! Next, complete checkout for full access to Rankiteo Blog.
Welcome back! You've successfully signed in.
You've successfully subscribed to Rankiteo Blog.
Success! Your account is fully activated, you now have access to all content.
Success! Your billing info has been updated.
Your billing was not updated.