Ransomware Actors Are Using a Tool Called AuKill to Exploit Vulnerable Drivers and Disable EDR Defenses

Cyberthreat actors are using a new ransomware attack evasion tool dubbed AuKill to disable endpoint detection & response (EDR) defenses before launching their attacks. Using a “bring your own vulnerable driver (BYOVD)” attack, AuKill exploits the vulnerabilities of an outdated edition of the driver used by version 16.32 of the Microsoft utility Process Explorer, exposing the target to a backdoor or ransomware assault. It has been used for at least three cyberattacks in 2023, laying way for either a Medusa Locker or LockBit attack, but researchers from cybersecurity and EDR-provider Sophos have found at least six iterations of the tool, dating back to 2022.

Become a Subscriber

Please purchase a subscription to continue reading this article.

Subscribe Now

A BYOVD attack requires a legitimately signed, outdated, and vulnerable driver to work, and AuKill utilizes ill-gotten administrative privileges to exploit weaknesses. This isn’t the first time that the Microsoft-signed Process Explorer driver has been weaponized for cyberattacks. LockBit users deployed an open-source tool known as Backstab to abuse the driver and eliminate anti-malware processes, and a malvertising campaign was caught in early 2023 leveraging the driver’s weakness to deploy FormBook, an information-theft malware.

To Try to protect their systems from BYOVD attacks like these, experts recommend keeping drivers and other systems up-to-date and deploy endpoint protection, tamper protection, and vulnerability management measures.