AuKill Exploits Process Explorer Utility via BYOVD, Deploys Ransomware

Sophos X-Ops uncovered a defense evasion tool called AuKill. The tool exploits an outdated version of the driver used by version 16.32 of the Microsoft utility Process Explorer to disable EDR processes to deploy either a backdoor or ransomware on the targeted system. Since the beginning of 2023, the tool has been used to drop Medusa Locker and LockBit ransomware strains.