Researchers have uncovered a new kind of malicious software that has been hiding in plain sight for quite some time.

It has been determined that the piece of malware known as AuKill is a powerful tool used to deactivate Endpoint Detection and Response (EDR) systems by utilizing Bring Your Own Vulnerability Discovery (BYOVD) methods. The ransomware assaults that have occurred recently have seen hackers deploy this technology.

The ransomware tries to terminate EDR processes of the device that is targeted and to achieve it, it make use of driver’s older version which is the 16.32 version of Microsoft Process Explorer.

Table of Contents

How exactly does AuKill work, and how does it compromise your security?

This tactic is widely used by a wide variety of threat actors, including hacking organizations supported by states and ransomware gangs motivated primarily by financial gain.

The malicious software known as AuKill, which was discovered for the first time by security researchers working for Sophos X-Ops, installs a weak Windows driver right next to the one that is used by Microsoft’s Process Explorer v16.32.

This is a fairly well-known and legal program that assists in the collection of information about active processes running under Windows.

It begins by determining whether or not it is currently operating with SYSTEM privileges before attempting to elevate those access. If it is not, it impersonates the TrustedInstaller Windows Modules Installer service in order to achieve the desired result.

AuKill runs many threads to continually investigate and disable security processes and services. This is done so that security software may be stopped.

Since the beginning of the year, various variants of AuKill are active in the wild. Some of these versions have been used in at least three distinct events that have resulted in infections with the ransomware families Medusa Locker and LockBit.

Why has AuKill gained so much popularity?

The researchers found that AuKill was actively participating in recent ransomware attacks. These two instances involve occurrences of ransomware known as Medusa Locker that took place in January and February 2023, as well as an attack known as LockBit that took place in February.

Currently, six distinct versions of the AuKill virus have been identified, which is indicative of the continual increase in the harmful capabilities it had. However, the analysis of the virus identified significant similarities with the open-source utility Backstab, which has previously been used in harmful operations.

These similarities suggest that AuKill is not an original piece of software. Therefore, it would seem that the creators of the malicious software derived their own program by using various code snippets from Backstab.

How can you defend yourself against cyberattacks including ransomware?

It is very necessary to take measures to protect yourself against ransomware attacks, and in the following part, we will go over some of the most useful preventative measures.

Measure #1

To begin, being proactive is the single most effective measure you can take to defend yourself against ransomware assaults.

Make sure that your computer’s operating system and all of its applications have the most recent updates and patches for their respective security systems.

Updating to the most recent version of software may help prevent ransomware attacks since cybercriminals often target weaknesses found in older software.

Measure #2

Second, while opening email attachments or clicking on links, particularly from unknown sources, you should use extreme caution at all times.

Phishing emails are often used by cybercriminals to deceive consumers into installing malicious software or clicking on links that take them to infected websites while attempting to spread ransomware.

As a result, it is crucial to maintain vigilance and avoid opening any emails or attachments that seem suspicious.

Measure #3

When surfing the internet, it is a good idea to protect yourself against ransomware attacks by connecting to the internet over a virtual private network.

A virtual private network (VPN) may encrypt your internet traffic, making it more difficult for adversaries to intercept and monitor your behavior while you are connected to the internet; hence, it is safe to say that a VPN server is just one tool in your security arsenal against ransomware attacks that you can depend on.

It is also possible for it to conceal your IP address, making it more difficult for potential attackers to determine where you are and precisely target you.

Measure #4

It is also essential that you create backups of your data regularly. If you fall victim to ransomware, keeping a backup of your most important data might assist you in resetting your system to the way it was before the assault.

Make sure that your backups are kept on a different device or in the cloud so that they are not compromised by the ransomware attack.

Measure #5

Lastly, make sure you constantly use a reputable antivirus program. Having antivirus software installed on your computer enables it to identify and stop ransomware infections.

Make sure that your anti-virus software is kept up to date at all times so that it can provide you with the best possible security.

In conclusion, to defend oneself against ransomware attacks, you will need to take both preventative steps and exercise extreme vigilance.

Using a Virtual Private Network (VPN), frequently backing up your data, keeping your software up to date, being careful when opening emails or attachments, using dependable antivirus software, and utilizing trustworthy antivirus software may all help against ransomware attacks.

You may considerably lower the danger of falling victim to a ransomware assault by putting these precautions into effect.

Related Posts:

Ransomware Hackers Using AuKill Tool: How to Protect Yourself?

How exactly does AuKill work, and how does it compromise your security?

Why has AuKill gained so much popularity?