AON researchers demonstrated on May 7, 2025 how a hacker, after exploiting an application flaw, bypassed the SentinelOne EDR's anti-tamper protection to uninstall the Windows agent and deploy a variant of the Babuk ransomware.
By exploiting the agent's unauthenticated upgrade/downgrade, the attacker neutralized all detection, leaving the compromised server at the mercy of malicious encryption.
SentinelOne was quick to react: local passphrase activated by default, authentication of updates and reinforced installation authorization via its console.
But, as Stroz Friedberg warns, these patches are no substitute for a defense-in-depth strategy.
In the face of constantly evolving circumvention methods, regular, isolated (physically offline) backups remain the last bastion of business continuity.
In addition to instant patches, investing in redundant solutions and frequently testing restoration procedures is now a must for controlling the risk of ransomware.
Credits : Le Monde Informatique " SentinelOne's EDR neutralized to install a variant of the Babuk ransomware"
English 
Français