HeartCrypt-Packed EDR Killer Used in Multiple Ransomware Campaigns

Published Date: August 8, 2025
Category: ShadowOpsIntel
Share:

In August 2025, Sophos X-Ops exposed a sophisticated EDR killer campaign leveraging the HeartCrypt packer-as-a-service to disable endpoint defenses ahead of ransomware execution. Initially linked to RansomHub, the tool has since been adopted and adapted by multiple ransomware groups, showing evidence of cross-group knowledge sharing and tool evolution. By abusing stolen or expired code-signing certificates, the attackers load malicious drivers capable of terminating security processes from a wide range of vendors, clearing the way for encryption and data theft.

Severity Level: High

Threat Overview

    Origins and Evolution

    • Developed by RansomHub, replacing the earlier EDRKillShifter tool.
    • Distributed as different custom builds, all protected with HeartCrypt packing for evasion.
    • Indicators suggest a mature underground tool market and possible technical collaboration across ransomware groups.

    Execution Flow

    • Dropped by a loader or bundled within trojanized legitimate software (e.g., Beyond Compare Clipboard Compare tool).
    • Unpacks and loads a malicious kernel driver, often named differently per sample (mraml.sys, noedt.sys), with the filename hardcoded.
    • Driver is signed with compromised or expired digital certificates (e.g., Changsha Hengxiang Information Technology, Fuzhou Dingxin Trade).

    Capabilities

    • Terminates security processes and services, such as MsMpEng.exe, SophosHealth.exe, SAVService.exe, and sophosui.exe.
    • Targets multiple security vendors: Bitdefender , Cylance, Fset, F-Secure, Fortinet, McAfee, HitManPro, Kaspersky, Microsoft, SentinelOne, Sophos, Symantec, Trend Micro, Webroot
    • Driver masquerades as legitimate software (e.g., CrowdStrike Falcon Sensor Driver) but contains malicious routines for process termination.

    Ransomware Associations

    • Used in campaigns by RansomHub, Qilin, MedusaLocker, DragonForce, INC, and others.
    • In several cases, the EDR killer was deployed immediately before ransomware encryption, sometimes via zero-day exploitation (e.g., SimpleHelp RCE).
    • Observed with layered packing for additional stealth in more recent incidents.

    Recommendations

    1. Patch known vulnerabilities in remote access/support software, especially SimpleHelp and similar platforms.
    2. Enforce strict driver signature verification, blocking drivers signed with revoked, expired, or untrusted certificates.
    3. Alert on detection of mass security tool termination attempts.
    4. Enable application allowlisting to prevent execution of unapproved binaries in sensitive environments.
    5. Train analysts to recognize driver abuse patterns and abnormal process/service terminations.
    6. Conduct simulated attacks in red-team exercises to test response to EDR tampering.
    7. Block the IOCs at their respective controls
      https://www.virustotal.com/gui/collection/ffb7aba29f182b8eb74731c4cad1420a87ad5c80b7cc261c9e3ca1abfa544fa1/iocs

    Source:

    • https://news.sophos.com/en-us/2025/08/06/shared-secret-edr-killer-in-the-kill-chain/

    Enjoyed reading this Threat Intelligence Advisory? Stay updated with our latest exclusive content by following us on Twitter and LinkedIn

    No related posts found.

    Ampcus Cyber
    Privacy Overview

    This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.