For years, organizations have placed enormous trust in their primary defenses.
“We already have an XDR,” they say.
“We’re protected.”

But the threat landscape of 2024–2025 has made one thing painfully clear:

EDR/XDR alone is no longer enough to keep your data safe.

Today’s ransomware groups are not only capable of bypassing primary security, they are built for it. Their entire operational playbook revolves around identifying, disabling, and evading the very controls organizations believe will save them.

If you think having an EDR means you’re safe, this blog will change your mind.

1. Ransomware Groups Are Defeating EDR/XDR Every Single Day

Let’s begin with a hard truth:
Every major ransomware group today includes EDR/XDR bypass as a core capability.

Here’s what they are doing right now, across real-world incidents:

RansomHub

A major RaaS (Ransomware-as-a-Service) operation active globally, known for rapid affiliate growth since 2023–2024.
Targets healthcare, finance, manufacturing, and public-sector organizations through credential theft and partner-assisted intrusions.
Defense Evasion Technique: Clears logs, abuses WMI (Windows Management Instrumentation), deploys custom EDR-disabling modules, and uses BYOVD (Bring-Your-Own-Vulnerable-Driver) to neutralize endpoint protection,

BlackSuit (formerly Royal)

A rebrand of the Royal ransomware group, linked to Conti/TrickBot heritage, and known for enterprise-scale intrusions.
Relies on stolen admin credentials and lateral movement across Active Directory environments.
Defense Evasion Technique: Alters Group Policy Objects (GPOs) to weaken security controls and uses GMER and PowerTool to terminate EDR and kernel-protected processes.

Black Basta

A high-impact RaaS operation active since 2022, widely targeting healthcare, telecom, and critical infrastructure.
Intrusions frequently begin via phishing, VPN compromise, or exploit-based access.
Defense Evasion Technique: Executes Backstab and PowerShell-based kill scripts to disable antivirus and security services before encryption.

Akira

A fast-growing ransomware group affecting organizations in education, IT services, and manufacturing.
Notable for supporting Windows, Linux, and ESXi environments, including VM-based deployments.
Defense Evasion Technique: Runs from isolated virtual machines, abuses vulnerable anti-malware drivers, and terminates monitoring processes at the kernel level.

Phobos

A long-running ransomware strain typically spread through weak RDP exposure and credential compromise.
Primarily targets SMBs, municipal networks, and healthcare providers.
Defense Evasion Technique: Modifies firewall and RDP settings, uses ProcessHacker to kill protected processes, and clears critical event logs.

Play (PLAY Ransomware)

An aggressive group that frequently targets governments, manufacturing, and public entities.
Often gains access via credential theft or exploitation of Exchange vulnerabilities like ProxyNotShell.
Defense Evasion Technique: Uses recon from infostealers, identifies EDR installations, and leverages GMER + PowerShell to disable Microsoft Defender and remove telemetry logs.

Rhysida

Known for attacks on hospitals, universities, and government organizations, often linked with extortion-style impact.
Moves laterally using stolen credentials and existing remote management tools.
Defense Evasion Technique: Leverages valid credentials to access VMware/NAS systems and runs LOTL scripts such as SilentKill to quietly terminate AV and endpoint services.

Snatch

A distinctive ransomware family active since 2019, known for its Safe Mode encryption technique.
Often spreads through brute-forced RDP and exposed remote access services.
Defense Evasion Technique: Forces reboot into Safe Mode, where most security tools are inactive, enabling encryption without interference.

LockBit

One of the most prolific RaaS families globally, backed by a large affiliate structure and rapid version updates.
Responsible for thousands of breaches across critical infrastructure and enterprise environments.
Defense Evasion Technique: Uses a vast kill-chain toolkit including Backstab, TDSSKiller, DefenderControl, BatArmor, and multiple custom modules to disable EDR, AV, and system protections.

In other words:

Ransomware isn’t just encrypting systems anymore — it’s actively hunting and disabling your EDR/XDR before it ever begins encryption.

2. How These Groups Bypass EDR/XDR (Their Evasion Techniques)

Despite differences in branding, affiliates, methods, and tooling, the evasion principles remain identical across all groups:

✓ Disabling or impairing security tools

Using tools like ProcessHacker, PowerTool, Backstab, DefenderControl.

✓ Kernel-level tampering via BYOVD

Loading signed-but-vulnerable drivers to gain ring-0 control.

✓ Living-off-the-land (LOTL)

Abusing PowerShell, WMIC, certutil, schtasks, and PsExec to remain invisible.

✓ GPO manipulation and registry tampering

Modifying system policies to degrade security silently.

✓ Credential theft for stealthy lateral movement

Using legitimate credentials that EDR sees as “normal admin activity.”

✓ Anti-forensic cleanup

Deleting logs, clearing tracks, and erasing event traces before encrypting.

A Full Real-World Example: Ransomware Using API Unhooking to Defeat EDR

One of the most direct and powerful ways to blind an EDR is API unhooking, used by both malware families and modern ransomware.

This technique specifically targets userland API hooks inside ntdll.dll — the same hooks EDR relies on for monitoring suspicious behaviors.

How EDR Hooks APIs

EDR injects JMP instructions at the start of sensitive functions such as:

• NtOpenProcess
  
• NtWriteVirtualMemory
  
• NtCreateThreadEx

The diagram below explains the hooking/unhooking in simple terms.

This lets the EDR intercept process injection, memory tampering, or thread creation.

How Ransomware Detects Hooks

The malware compares:

• In-memory bytes of ntdll (hooked)
  
• On-disk bytes of ntdll (clean)
  

A mismatch tells it that an EDR hook is active.

How Ransomware Removes Hooks

Gazprom ransomware demonstrates this technique clearly:

1. Load a clean copy of ntdll.dll from disk
   
2. Make hooked memory pages writable
   
3. Restore the original bytes into memory
   
4. Remove the EDR’s JMP redirection
   
5. Return memory protections
   

Here’s pseudocode similar to what Gazprom ransomware uses:

void UnhookAPI(const char* dllPath, void* funcAddr, size_t len) {

    HANDLE hFile = CreateFile(dllPath, ...);  // Load clean DLL

    BYTE* cleanPrologue = GetFunctionPrologueFromMappedDLL(hFile, funcAddr, len);

 

    DWORD oldProtect;

    VirtualProtect(funcAddr, len, PAGE_EXECUTE_READWRITE, &oldProtect);

 

    memcpy(funcAddr, cleanPrologue, len);    // Overwrite the hook

    VirtualProtect(funcAddr, len, oldProtect, &oldProtect);

}

What Happens After Unhooking

Once hooks are gone, ransomware can perform:

• Process injection
  
• Remote thread creation
  
• Reflective DLL loading
  
• Memory manipulation
  

…all without EDR visibility.

The EDR remains “running” but is effectively blind.

Used In

• Agent Tesla (documented by HP Threat Research)
  
• Gazprom ransomware (SANS FOR610 analysis)
  
• Red-team frameworks
  
• Full DLL remapping/unhooking techniques
  

This is one of the cleanest, most reliable EDR bypasses in modern malware.

3. MITRE ATT&CK Shows the Full Picture

Defense evasion is not a niche skill — it is a formalized discipline with an entire MITRE matrix dedicated to it:

https://attack.mitre.org/tactics/TA0005/

• 47 techniques
  
• 168+ sub-techniques
  

Including:

• Impair Defenses
  
• Hide Artifacts
  
• Masquerading
  
• Deactivate Security Tools
  
• Modify Registry
  
• DLL Hijacking
  
• PowerShell Obfuscation
  
• BYOVD
  
• Signed Binary Proxy Execution
  

Everything ransomware groups are doing today fits perfectly into this framework.
They follow it because it works.

4. Palo Alto Networks Data Confirms the Industry Problem

In the 2025 Global Incident Response Report, Palo Alto Networks Unit 42 revealed alarming findings:

➡ 30% of all defense-evasion activity

involved impairing or disabling endpoint protections (EDR/AV), often through BYOVD exploits.

➡ 86% of ransomware/extortion attacks

resulted in operational disruption despite EDR/XDR being fully deployed.

➡ Attackers exploit EDR/XDR complexity

including telemetry gaps, overlapping agents, and misconfigurations.

➡ LOTL abuse is skyrocketing

because it leaves almost no artifacts for EDR to analyze.

This is not theoretical research — it is real-world incident data.

5. Emerging Threat Trends Making EDR Bypass Easier Than Ever

The threat landscape is evolving faster than endpoint tools can adapt.

Software Supply Chain Attacks

Attackers now infiltrate the vendors YOU trust. Once poisoned, updates bypass every endpoint control.

Insider Threats

No EDR can block an employee or contractor who legitimately has access.

AI-Assisted Malware & Ransomware

AI generates:

• new payloads
  
• obfuscated variants
  
• sandbox-evasive behavior
  
• deepfake-based social engineering
  
• automated lateral movement
  

At speeds defenders cannot keep up with.

BYOVD Explosion

Driver-level control lets attackers kill EDR processes that were once “protected.”

LOTL Abuse

Using legitimate executables (powershell.exe, certutil.exe, wmic.exe) creates almost no detectable footprint.

Conclusion: EDR/XDR Is the Lock. Backup Is the Lifeboat.

Security tools are necessary. EDR/XDR is essential. But neither is infallible.

Ransomware has evolved beyond prevention. Attackers have outpaced detection. And the threat landscape increasingly revolves around bypassing endpoint security.

Backup isn’t Plan B — it is the foundation of modern cyber resilience.

If your organization wants to survive a breach, a compromise, or a full-scale encryption event, you need a platform that guarantees your data can always be recovered — no matter what fails.