Trend Micro, a cybersecurity firm, fell victim to a sophisticated ransomware attack executed by the Crypto24 gang. The attackers exploited a customized version of RealBlindingEDR, an open-source tool designed to disable endpoint detection and response (EDR) products. The malware specifically targeted Trend Micro’s Trend Vision One security solution by abusing gpscript.exe (a legitimate Group Policy utility) to remotely execute the Trend Vision One uninstaller, effectively neutralizing the company’s defenses. Prior to this, the attackers had already compromised systems to gain administrator-level privileges, allowing them to bypass kernel-level security hooks from 28 vendors, including Trend Micro itself. The attack resulted in data theft and encryption, with the ransomware operators exfiltrating sensitive corporate and customer data before deploying encryption payloads. The breach exposed vulnerabilities in Trend Micro’s own security infrastructure, undermining trust in its ability to protect against privilege escalation and EDR evasion techniques. While the full scope of the data leak remains undisclosed, the incident highlights the growing threat of kernel-level ransomware attacks that exploit legitimate tools to cripple enterprise defenses. The financial and reputational damage includes potential customer churn, regulatory scrutiny, and erosion of market confidence in Trend Micro’s security solutions.
Source: https://www.theregister.com/2025/08/14/edr_killers_ransomware/
TPRM report: https://www.rankiteo.com/company/trend-micro
"id": "tre754081525",
"linkid": "trend-micro",
"type": "Ransomware",
"date": "8/2025",
"severity": "100",
"impact": "",
"explanation": "Attack threatening the organization’s existence"{'affected_entities': [{'industry': ['Financial Services',
'Manufacturing',
'Entertainment',
'Technology'],
'location': ['United States', 'Europe', 'Asia'],
'size': ['High-profile companies (likely large '
'enterprises)'],
'type': ['Corporations', 'Enterprises']}],
'attack_vector': ['Kernel-level EDR killers (RealBlindingEDR, EDRKillShifter)',
'BYOVD (Bring Your Own Vulnerable Driver) attacks',
'Abuse of legitimate tools (gpscript.exe, HRSword, Trend '
'Vision One uninstaller)',
'Compromised administrator privileges',
'Lateral movement via cloud networks (VPCs, Kubernetes, '
'APIs)'],
'data_breach': {'data_encryption': ['Confirmed (ransomware deployment)'],
'data_exfiltration': ['Confirmed (double extortion tactic)'],
'personally_identifiable_information': ['Possible (not '
'explicitly '
'detailed)'],
'sensitivity_of_data': ['High (targeting high-profile '
'industries)'],
'type_of_data_compromised': ['Corporate data',
'Potentially PII',
'Financial data (if '
'applicable)']},
'date_publicly_disclosed': '2024-08-06',
'description': 'At least a dozen ransomware gangs, including Crypto24, '
'Blacksuit, RansomHub, Medusa, Qilin, Dragonforce, Crytox, '
'Lynx, and INC, have incorporated kernel-level EDR killers '
'into their malware arsenal. These tools (e.g., customized '
'versions of RealBlindingEDR and EDRKillShifter) '
'disable endpoint detection and response (EDR) products from '
'major vendors (e.g., Sophos, Trend Micro, Kaspersky, '
'SentinelOne, Microsoft) by exploiting kernel-level hooks or '
'vulnerable drivers (BYOVD attacks). The gangs target '
'high-profile companies in financial services, '
'manufacturing, entertainment, and technology across the '
'US, Europe, and Asia, stealing and encrypting data before '
'demanding ransom. Attackers also abuse legitimate tools like '
'gpscript.exe (Group Policy utility) and HRSword '
'(commercial software) to disable EDR protections, escalate '
'privileges, and move laterally across networks, including '
'cloud environments (VPCs, Kubernetes, APIs).',
'impact': {'brand_reputation_impact': ['High (targeting high-profile '
'companies)',
'Potential loss of trust in affected '
"organizations' security posture"],
'data_compromised': ['Sensitive corporate data',
'Potentially PII (depending on target)'],
'identity_theft_risk': ['Possible (if PII stolen)'],
'operational_impact': ['Loss of EDR telemetry',
'Lateral movement undetected',
'Potential encryption of critical systems'],
'payment_information_risk': ['Possible (if financial services '
'targeted)'],
'systems_affected': ['Endpoint security tools (EDR/XDR)',
'Windows systems (via vulnerable drivers)',
'Cloud environments (VPCs, Kubernetes '
'clusters, APIs)',
'Group Policy infrastructure (abused via '
'gpscript.exe)']},
'initial_access_broker': {'backdoors_established': ['Likely (post-EDR '
'bypass)'],
'data_sold_on_dark_web': ['Possible (double '
'extortion model)'],
'high_value_targets': ['Financial services, '
'manufacturing, '
'entertainment, technology']},
'investigation_status': 'Ongoing (research by Trend Micro, Sophos, Cisco '
'Talos)',
'lessons_learned': ['Kernel-level EDR killers can bypass most endpoint '
'security tools, rendering them useless.',
'Legitimate tools (e.g., gpscript.exe, HRSword) can be '
'repurposed for malicious purposes, evading detection.',
'Lateral movement in cloud environments (VPCs, '
'Kubernetes) is a critical blind spot when EDR telemetry '
'is disabled.',
'BYOVD attacks exploit signed but vulnerable drivers to '
'gain kernel-level access.',
'Double extortion (data theft + encryption) remains a '
'dominant ransomware tactic.'],
'motivation': ['Financial Gain (Ransom Extortion)',
'Data Theft for Double Extortion',
'Disruption of Operations'],
'post_incident_analysis': {'corrective_actions': ['Deploy kernel-level '
'integrity monitoring.',
'Implement strict driver '
'signing policies to '
'prevent BYOVD.',
'Segment networks to '
'limit lateral '
'movement.',
'Adopt zero-trust '
'architectures to contain '
'breaches.',
'Train teams on abuse of '
'legitimate tools (e.g., '
'Cobalt Strike, HRSword).'],
'root_causes': ['Over-reliance on EDR/XDR as a '
'single layer of defense.',
'Lack of visibility into '
'kernel-level attacks and lateral '
'movement.',
'Abuse of legitimate tools (e.g., '
'gpscript.exe, HRSword) for '
'malicious purposes.',
'Insufficient monitoring of '
'cloud-native environments (VPCs, '
'Kubernetes).']},
'ransomware': {'data_encryption': ['Yes (post-EDR bypass)'],
'data_exfiltration': ['Yes (pre-encryption for double '
'extortion)'],
'ransomware_strain': ['Crypto24',
'Blacksuit',
'RansomHub',
'Medusa',
'Qilin',
'Dragonforce',
'Crytox',
'Lynx',
'INC']},
'recommendations': ['Implement defense-in-depth strategies beyond EDR '
'(e.g., network segmentation, zero trust).',
'Monitor for unusual driver activity and '
'kernel-level tampering.',
'Restrict use of legitimate tools (e.g., '
'gpscript.exe) to authorized personnel only.',
'Enhance east-west traffic monitoring in cloud '
'environments (VPCs, Kubernetes, APIs).',
'Regularly audit signed drivers for vulnerabilities '
'(BYOVD prevention).',
'Assume breach mindset: Detect lateral movement even '
'when EDR is disabled.',
'Use behavioral-based detection to identify anomalous '
'activity post-compromise.'],
'references': [{'date_accessed': '2024-08-06',
'source': 'The Register',
'url': 'https://www.theregister.com/2024/08/06/ransomware_edr_killers_trend_micro/'},
{'source': 'Trend Micro Research'},
{'date_accessed': '2024-08-06',
'source': 'Sophos Report (Gabor Szappanos & Steeve '
'Gaudreault)'},
{'source': 'Cisco Talos (Kendall McKay)'}],
'response': {'enhanced_monitoring': ['Recommended for east-west traffic in '
'cloud environments'],
'network_segmentation': ['Recommended to limit lateral movement'],
'third_party_assistance': ['Trend Micro (research)',
'Sophos (research)',
'Cisco Talos (incident response)']},
'threat_actor': ['Crypto24 (new ransomware group, active since April 2024)',
'RansomHub (updated EDRKillShifter tool)',
'Blacksuit',
'Medusa',
'Qilin',
'Dragonforce',
'Crytox',
'Lynx',
'INC',
'BianLian (historically linked to EDRKillShifter)',
'Play (historically linked to EDRKillShifter)'],
'title': 'Ransomware Gangs Exploit Kernel-Level EDR Killers to Bypass '
'Endpoint Security Tools',
'type': ['Ransomware',
'Privilege Escalation',
'EDR Bypass',
'Data Theft',
'Lateral Movement'],
'vulnerability_exploited': ['Kernel-level hooks in EDR products (28+ vendors '
'targeted)',
'Vulnerable signed drivers (exploited via BYOVD)',
'Legitimate utilities repurposed for malicious '
'use (e.g., gpscript.exe)',
'Lack of monitoring for east-west traffic in '
'cloud environments']}