A comprehensive analysis by ESET has uncovered a thriving ecosystem of endpoint detection and response (EDR) killer tools, revealing that 54 of these specialized programs abuse 34 vulnerable signed drivers to neutralize security software before ransomware attacks.
The BYOVD Threat Landscape
EDR killer programs have become a standard component in ransomware intrusions, offering affiliates a reliable method to disable security controls before deploying file-encrypting malware. The technique, known as Bring Your Own Vulnerable Driver (BYOVD), exploits legitimate but vulnerable drivers to gain kernel-level (Ring 0) privileges.
“Ransomware gangs, especially those with ransomware-as-a-service (RaaS) programs, frequently produce new builds of their encryptors, and ensuring that each new build is reliably undetected can be time-consuming,” explained ESET researcher Jakub Souček. “Making encryptors undetected is challenging because they inherently need to modify a large number of files in a short period.”
Why BYOVD Works
The attack vector abuses Microsoft’s driver trust model. Because attackers cannot load unsigned malicious drivers, they “bring” a driver signed by a reputable vendor—such as a hardware manufacturer or old antivirus version—that contains a known vulnerability.
With kernel access achieved, threat actors can:
- Terminate EDR processes
- Disable security tools
- Tamper with kernel callbacks
- Undermine all endpoint protections
Three Types of Threat Actors
ESET’s research identified three primary categories developing BYOVD-based EDR killers:
- Closed ransomware groups: Operations like DeadLock and Warlock that don’t rely on affiliates
- Fork-and-tweak attackers: Actors modifying existing proof-of-concept code, such as SmilingKiller and TfSysMon-Killer
- Commercial EDR killer vendors: Cybercriminals marketing tools on underground marketplaces, including DemoKiller, ABYSSWORKER, and CardSpaceKiller
Beyond BYOVD: Emerging Techniques
The research also documented alternative EDR killer approaches:
Script-based tools: Utilizing built-in administrative commands like taskkill, net stop, or sc delete to interfere with security product processes.
Safe Mode exploits: Some variants combine scripting with Windows Safe Mode, which loads only a minimal OS subset without security solutions. However, this approach is “very noisy” and unreliable, requiring a system reboot.
Anti-rootkit utilities: Legitimate tools such as GMER, HRSword, and PC Hunter repurposed to terminate protected processes.
Driverless EDR killers: Emerging tools like EDRSilencer and EDR-Freeze that block outbound traffic from EDR solutions, causing programs to enter a “coma” state.
Defense Recommendations
ESET emphasizes that blocking commonly misused drivers from loading is a necessary but insufficient defense. Since EDR killers execute at the final stage before ransomware deployment, attackers can easily switch tools if one fails.
Organizations need layered defenses and detection strategies to monitor, flag, contain, and remediate threats at every stage of the attack lifecycle.
“EDR killers endure because they’re cheap, consistent, and decoupled from the encryptor—a perfect fit for both encryptor developers who don’t need to focus on making their encryptors undetectable, and affiliates who possess an easy-to-use, powerful utility to disrupt defenses prior to encryption,” ESET concluded.
Source: The Hacker News
