Ransomware attacks are constantly evolving, and recent research highlights a concerning new tactic where threat actors are abusing Endpoint Detection and Response (EDR) tools themselves to execute malware silently inside victim networks.
According to a BleepingComputer report, an initial access broker (IAB) tracked as Storm-0249 used trusted EDR components and Windows utilities to load malware, establish command channels, and persist on systems without triggering traditional detections, paving the way for follow-on ransomware operations. BleepingComputer
This shift in ransomware methodology should be alarming to business owners and IT decision makers because it illustrates how attackers are not just bypassing security defenses, but actively turning them into execution and persistence mechanisms.
How Attackers Are Abusing EDR Tools
In the incident analyzed by cybersecurity firm ReliaQuest, Storm-0249 leveraged components of the SentinelOne EDR platform to mask its malicious activities. The attack began with a simple social engineering trick that induced a user into running a command to download a malicious MSI with elevated privileges. Then a PowerShell script downloaded from a spoofed Microsoft domain was executed in memory to evade disk-based detections.
Most troubling was how the attacker abused a legitimate EDR process as a trusted execution environment. By placing a malicious DLL alongside an EDR executable and loading it into that trusted process, the attacker ran malicious code under the guise of normal EDR operations. Because the malware ran within a trusted, signed process, most traditional security tools either ignored the activity or failed to flag it as suspicious.
This type of approach flips the conventional endpoint security model on its head. Instead of threat actors trying to evade detection by staying below a tool’s radar, they are exploiting the trust and privileges built into EDR technologies to blend malicious code with legitimate processes. For defenders relying solely on Detect and Respond tools, this represents a serious blind spot.
Why Detect and Respond Alone Is No Longer Enough
Most EDR products function by analyzing behavior, detecting anomalies, and alerting defenders so they can respond to threats. This model works when attackers generate distinct indicators of compromise or clearly malicious behavior. But techniques like loading malware inside trusted processes, using living-off-the-land binaries (LoLBins), or abusing legitimate tools for execution minimize those indicators and make detection significantly harder.
Recent research and incident responses show that ransomware attackers are also adopting specialized utilities designed to disable or bypass endpoint defenses. Multiple ransomware operations are employing so-called “EDR killers” or tools that neutralize detection engines early in an attack, rendering them ineffective and allowing ransomware payloads to run unimpeded.
When defenders wait to detect threats and then respond, attackers often have enough time to establish a foothold, move laterally, and encrypt critical systems before the incident response team can contain the damage.
The Case for Isolation and Containment
Given these advanced techniques, the security model needs to shift from Detect and Respond to Isolation and Containment. Instead of waiting to see malicious indicators, proactive containment stops an unauthorized process from executing in the first place, even if it tries to misuse trusted tools or EDR agents. This model drastically reduces the attack surface available to ransomware actors by isolating behavior that falls outside approved application interactions and business logic.
That is where AppGuard comes in. With a proven 10-year track record of stopping unknown threats and zero-day malware, AppGuard uses sophisticated isolation technology to prevent malicious code from executing at all—not just detecting it after the fact. AppGuard treats every executable action with strict enforcement of policy, making it nearly impossible for attackers to misuse trusted processes or launch payloads inside high-privilege contexts.
Rather than relying on EDR tools that attackers can misuse or disable, AppGuard enforces containment at the system level, making sure that only authorized actions are allowed to run. This effectively blocks modern ransomware techniques like DLL sideloading, memory-only execution, and trusted process abuse.
What This Means for Your Business
Ransomware incidents do more than disrupt IT systems. They can shut down operations, expose customer data, damage reputation, and cost organizations millions in recovery and legal fees. As threat actors become more sophisticated, business owners can no longer justify relying entirely on Detect and Respond technologies that assume malicious behavior will always show detectable signs early enough to catch it.
It is time to move to Isolation and Containment.
Talk with us at CHIPS to learn how AppGuard can protect your business from these advanced ransomware threats. With AppGuard’s proven isolation technology, you can prevent attackers from executing malware even when they try to exploit your existing security tools. Don’t wait until a ransomware incident impacts your business—reach out today to strengthen your defenses.
Like this article? Please share it with others!
Comments