Packer-as-a-Service Shanya Hides Ransomware, Kills EDR
Summary
Security vendor Sophos published research on a new packer-as-a-service (PaaS) called Shanya that helps ransomware evade detection and disable endpoint detection and response (EDR) tools. Shanya wraps existing ransomware in an obfuscation layer and employs driver-based techniques: it drops a legitimate (clean) driver alongside a malicious, unsigned kernel driver and abuses the clean driver to gain write access and remove or terminate security products.
Sophos reports Shanya has been observed globally across 2025, with notable activity in Tunisia and the UAE, and used by multiple ransomware groups including Akira, Medusa, Qilin and Crytox. The service echoes earlier PaaS operations such as HeartCrypt and is already gaining favour in the ransomware ecosystem. Sophos has published IOCs on GitHub and added protections in its product.
Key Points
- Shanya is a packer-as-a-service that obfuscates ransomware to help it bypass EDR and anti-malware controls.
- Technique: deploys a legitimate driver and an unsigned malicious kernel driver; the legitimate driver is used to load and give access to the malicious driver.
- The malicious driver leverages write access to target and remove processes, services or drivers belonging to security products—effectively acting as an “EDR killer”.
- Observed in use by multiple ransomware families (Akira, Medusa, Qilin, Crytox) and in phishing campaigns (e.g. Booking.com-themed ClickFix delivering CastleRAT).
- Seen worldwide during 2025, with higher concentration in countries such as Tunisia and the UAE.
- Defence: use trusted EDR, apply vendor IOCs (Sophos has published indicators on GitHub), maintain patching, and educate users to resist social engineering.
Why should I read this?
Short version: Shanya makes it much easier for ransomware to switch off your endpoint protections. If you look after endpoints or incident response, this one’s worth a quick read — it explains a neat trick attackers are now renting out so you can start blocking it.
Author style
Punchy: this is a concise, high-impact alert. The piece flags a clear escalation in the ransomware supply chain — PaaS plus EDR-killing drivers — so defenders should pay attention and action basic mitigations immediately.
Context and Relevance
Packers-as-a-service lower the technical bar for criminals and extend the ransomware-as-a-service economy. Shanya demonstrates how commoditised obfuscation and driver abuse combine to defeat common detection tooling, making it a practical threat for many organisations. For security teams, the story underlines urgency around robust EDR configuration, driver control policies, rapid patching, and applying up-to-date IOCs from vendors.