Ransomware attackers now often rely on using tools to disable endpoint detection and response, known as EDR killers. New research from ESET looks at the EDR killer ecosystem, disclosing how attackers abuse vulnerable drivers.
In recent years, EDR killers have become one of the most commonly seen tools in modern ransomware intrusions. An attacker acquires high privileges, deploys such a tool to disrupt protection, and only then launches the encryptor.
“The landscape this research unveils is massive, ranging from endless forking of proofs of concept to complex professional implementations. Focusing on commercial EDR killers — advertised on the dark net — allows us to gain a better understanding of their customer base and spot otherwise hidden affiliations. In-house-developed EDR killers offer insight into the inner workings of closed groups. Furthermore, vibe coding is making matters even more complicated,” says ESET researcher Jakub Souček.
The research shows that EDR killers often rely on legitimate, yet vulnerable, drivers, making defense significantly more difficult without risking disruption of legacy or enterprise software. The result is a class of tools that offers kernel-level impact with minimal development effort, making these tools disproportionately powerful, given their simplicity.
ESET stresses that, while preventing vulnerable drivers from loading is a crucial step in the line of defense, it is not an easy one due to several existing bypass techniques. This highlights why organizations should not rely only on that, and aim to disrupt EDR killers before they get a chance to load the driver.
In fact, the simplest EDR killers don’t rely on vulnerable drivers or other advanced techniques. Instead, they abuse built-in administrative tools and commands. BYOVD (Bring Your Own Vulnerable Driver) techniques have become the hallmark of modern EDR killers: ubiquitous, reliable, and widely used. In a typical scenario, an attacker drops a legitimate, but vulnerable, driver onto the victim’s machine, installs the driver, and then runs malware that abuses the driver’s vulnerability. A smaller, but growing, class of EDR killers achieves its goals without touching the kernel at all. Instead of terminating EDR processes, these tools interfere with other critical features.
AI is, inevitably, now considered the latest weapon in the EDR killers’ arsenals. Determining whether AI directly assisted in producing a specific codebase is often practically impossible. There is no definitive forensic marker that reliably distinguishes AI-generated code from human-written code, especially when attackers post-process or obfuscate it. However, ESET researchers believe that at least some recently observed EDR killers exhibit traits strongly suggestive of AI-assisted generation.
“A key observation is the division of labor in ransomware-as-a-service ecosystems. Operators typically supply the encryptor and supporting infrastructure, but EDR killer selection is left to affiliates. This means that the larger the affiliate pool, the more diverse the EDR killer tooling becomes,” adds Souček. “Defending against ransomware requires a fundamentally different mindset than defending against automated threats. Phishing emails, commodity malware, and exploit chains stop once detected and neutralized by security solutions; ransomware intrusions do not. They are interactive, human-driven operations, and intruders continually adapt to detections, tool failures, and environmental obstacles.”
You can find out more on the ESET blog.
Image credit: Benjawan Sittidech/Dreamstime.com
