Shanya Packer-as-a-Service: When Ransomware Blinds EDR

A hard truth for endpoint security teams: a ransomware attack doesn’t need to beat your EDR if it can turn your EDR off first.

That’s why Shanya matters. It’s not “just another malware family.” It’s part of a business model—packer-as-a-service—that helps ransomware operators wrap their payloads in obfuscation and then clear the runway by killing endpoint defenses. Sophos researchers described Shanya as an “EDR killer” used by multiple ransomware groups, and that combination should change how you think about detection.

This post is part of our AI in Cybersecurity series, and I’m going to take a stance: signature-led endpoint defenses alone are losing the evasion race. The teams that fare better in 2026 will be the ones that pair solid hygiene with AI-driven anomaly detection and automated response across endpoints, identity, and network.

Packer-as-a-Service is ransomware’s force multiplier

Packer-as-a-service (PaaS) exists to make known malware look unknown. Instead of building ransomware from scratch, attackers increasingly buy or rent “wrapping” services that encrypt, compress, mutate, and stage payloads to frustrate static detection and slow reverse engineering.

That’s the operational win for attackers:

• They keep using proven ransomware families.
• They keep swapping the outer “shell” as detections catch up.
• They reduce the skill required to ship evasive builds.

Shanya follows a path already cleared by other packing operations (Sophos compared the ecosystem role to HeartCrypt). The bigger story isn’t the brand name. It’s the market behavior: as soon as one packer gets burned, threat actors switch services. That churn is exactly what makes purely indicator-driven defenses brittle.

Why defenders should treat PaaS like a supply chain

If you’re used to tracking ransomware groups, PaaS changes the map. You’re no longer facing a single actor’s tooling—you’re facing a shared service layer used by multiple gangs.

Practically, that means:

• One packer can show up across multiple ransomware campaigns.
• TTP overlap increases, while payload hashes become less reliable.
• The “initial signal” may be the packer’s behaviors, not the ransomware’s.

For detection engineering, PaaS is a supply chain problem. You need controls that spot the packaging and staging, not only the final payload.

Shanya’s play: kill the guard, then walk in

Shanya’s defining behavior is disabling endpoint defenses so the rest of the attack can proceed quietly. Sophos describes a flow that will feel familiar if you’ve tracked modern ransomware intrusions: remove visibility, establish control, then execute encryption and extortion.

Here’s the key technique reported:

• Shanya drops a legitimate (clean) driver and a malicious unsigned kernel driver.
• The legitimate driver is loaded to avoid immediate suspicion.
• The malicious driver abuses the legitimate one to gain write access.
• That access is used to terminate and delete processes/services tied to security products.

This is the nightmare scenario for endpoint-centric operations: once EDR is degraded, you lose telemetry right when you need it most.

The uncomfortable part: “EDR bypass” is often “EDR removal”

Security marketing tends to frame attacks as “malware bypassed EDR detection.” Reality is frequently simpler and more brutal: attackers aim to disable or blind EDR early, then do noisy things later.

If Shanya (or a similar tool) succeeds, downstream detections might never fire because the sensor isn’t collecting events anymore. Your SOC sees gaps. Your dashboards look calm. Meanwhile, the attacker is busy.

That’s why this topic belongs in an AI in Cybersecurity series: the winning defensive posture is cross-layer, behavior-based, and resilient to sensor loss.

Why traditional tooling falls behind—and where AI helps

Traditional security tools struggle when attackers continuously mutate packaging and selectively remove sensors. You can’t signature your way out of a business model designed to produce infinite variants.

AI-driven threat detection helps in three specific ways when dealing with packers and EDR killers:

1) Anomaly detection that doesn’t depend on a single file hash

A good anomaly detection program focuses on relationships and sequences, not just artifacts.

Example patterns that can stand out even when binaries change:

• A new driver appearing on endpoints that rarely install drivers
• Unusual driver load events outside normal maintenance windows
• A spike in service terminations tied to security tooling
• A workstation behaving like an “admin endpoint” (remote tools, new privileges, lateral movement)

AI models can score these sequences and highlight the story of the intrusion earlier—before encryption starts.

2) Behavioral analytics for “EDR tampering” signals

If attackers try to kill EDR, that attempt itself is a detection opportunity—if you’re watching from multiple angles.

Strong programs treat EDR tampering as a high-severity event and corroborate it with:

• identity signals (new admin group membership, token abuse)
• network signals (new outbound connections, suspicious SMB/RDP patterns)
• asset context (is this host a developer machine, kiosk, server?)

AI shines at correlating these weak signals into a single incident your team can act on.

3) Automated response that contains faster than humans

Ransomware operations are optimized for speed. The defender advantage is automation.

Automated response playbooks—guided by risk scoring—can:

• isolate a host when driver-tampering behaviors appear
• revoke sessions or force re-authentication on privileged identities
• block known-bad tooling paths and suspicious admin utilities
• snapshot volatile evidence before it’s wiped

This isn’t about “replacing analysts.” It’s about making sure humans aren’t the slowest part of the defense.

Practical defenses against packers and EDR killers (what actually helps)

You won’t patch your way out of this, and you won’t tool-buy your way out either. You need a layered plan that assumes attackers will attempt to reduce visibility.

Harden the kernel driver surface (where these attacks live)

Driver abuse is a recurring theme in EDR killer tooling.

Do these:

1. Block or restrict known abused drivers using allowlisting/denylisting where feasible.
2. Enforce driver signing policies as strictly as your environment allows.
3. Alert on new driver installs and loads, especially on user workstations.
4. Baseline “normal driver activity” by device class (servers vs laptops).

If your environment can’t tolerate strict kernel policies everywhere, at least apply them to your “crown jewel” endpoints: domain controllers, jump boxes, management servers, and backup infrastructure.

Make EDR harder to tamper with

Many orgs deploy EDR and stop there. That’s the easy part.

What separates resilient teams is protecting the protector:

• enable anti-tamper features and require admin approvals to disable agents
• restrict local admin rights (yes, it’s painful; it’s still worth it)
• monitor for service stop attempts and security tool uninstalls
• store logs off-host so “delete local evidence” doesn’t work

A blunt but accurate rule: if a user can uninstall or stop your EDR, an attacker can too.

Detect the pre-encryption phase, not the encryption event

By the time files are encrypting, the attacker has already won the time battle.

Build detections for the lead-up:

• suspicious PowerShell and scripting chains
• lateral movement and remote execution anomalies
• credential dumping and privilege escalation behaviors
• disabling backups, shadow copy deletion, and recovery impairment

EDR is part of this, but network telemetry, identity logs, and server audit trails matter just as much.

Train for “ClickFix” and other modern social engineering

Sophos noted Shanya appearing in campaigns using ClickFix-style lures, where users are tricked into running “fix” steps that execute malicious commands.

Security awareness that works isn’t generic. It’s specific:

• show employees what “fake fix” instructions look like in your business context
• teach a single, easy rule: never paste commands into Run/Terminal from a webpage or email
• add a friction point: a quick internal check channel (Slack/Teams hotline) for “is this legit?”

If your user training doesn’t change behavior, it’s theater.

Questions security leaders are asking right now (and straight answers)

“If Shanya kills EDR, is EDR useless?”

No. EDR is still necessary, but it’s not sufficient. The correct response is to harden EDR against tampering and add detection layers that survive partial visibility loss.

“Do we need AI to stop packer-as-a-service threats?”

If your detection strategy relies heavily on file reputation and static indicators, AI-driven behavioral detection becomes a practical necessity, not a nice-to-have. The attackers are already automating variation.

“What should we measure to know we’re improving?”

Track metrics that reflect resilience:

• mean time to detect (MTTD) pre-encryption
• percentage of endpoints with anti-tamper enabled
• number of high-risk admin accounts and where they authenticate
• coverage of driver load telemetry and alerting
• time to isolate a host after EDR tampering is detected

If your numbers only move after a tabletop exercise, your program isn’t operational yet.

The stance: AI belongs in ransomware defense, but hygiene still decides outcomes

Shanya is a clean example of where ransomware is headed: specialized services that obfuscate payloads and remove defenses before the main event. This is an ecosystem that rewards scale and speed, and defenders need to respond the same way.

AI in cybersecurity earns its keep when it finds the weird stuff that doesn’t match last month’s indicators—driver abuse, sensor tampering, unusual sequences of admin actions—and then helps your team respond fast enough to matter.

If you’re building your 2026 roadmap now, here’s the practical question I’d ask internally: If an attacker disables our EDR on five endpoints tonight, what other signals would still wake us up—and what actions would trigger automatically?

That answer tells you whether you’re prepared for packer-as-a-service threats like Shanya, or just hoping your tools see what they’re no longer able to see.