Back to News
Cyber Attack

54 EDR Killers Abuse 34 Signed Drivers to Disable Security

CyberSecurityWaala 2 months ago Mar 20, 2026
54 EDR Killers Abuse 34 Signed Drivers to Disable Security

A new analysis from ESET shows how ransomware crews and other attackers are still finding smart ways to turn trusted Windows tools against security software. The company said it found 54 EDR killer tools that use a tactic called bring your own vulnerable driver, or BYOVD, by abusing 34 vulnerable drivers.

EDR killers are built for one job. They try to shut down endpoint detection and response tools before ransomware launches. That matters because EDR products are often the last line of defense on a machine. If attackers can turn them off first, the rest of the intrusion becomes much easier.

Jakub Souček, an ESET researcher, said ransomware operators keep using these tools because they help simplify the malware itself. In a report shared with The Hacker News, he said, “Ransomware gangs, especially those with ransomware as a service programs, frequently produce new builds of their encryptors, and ensuring that each new build is reliably undetected can be time consuming.” He added, “More importantly, encryptors are inherently very noisy, as they inherently need to modify a large number of files in a short period; making such malware undetected is rather challenging.”

That is where EDR killers come in. Instead of making the ransomware itself stealthy, attackers use a separate tool to disable defenses first. Then they launch the locker. ESET said this keeps the encryptor simpler, more stable, and easier to rebuild when defenders catch on.

The most common method is BYOVD. Bitdefender explains that the aim is to reach kernel mode, also known as Ring 0. At that level, code can access system memory and hardware with very high privileges. Bitdefender said attackers cannot load an unsigned malicious driver, so they “bring” a driver signed by a trusted vendor, such as a hardware maker or an older antivirus product, that still contains a known flaw.

Once that vulnerable signed driver is loaded, the attacker can use it to do dangerous things. ESET said these tools can terminate EDR processes, disable security software, tamper with kernel callbacks, and weaken endpoint protections. The key trick is trust. Windows sees a signed driver. The attacker sees a path to the kernel.

ESET said the BYOVD based EDR killers it found are mainly tied to three groups of threat actors. The first are closed ransomware groups, such as DeadLock and Warlock, that do not rely on affiliates. The second are attackers who fork and tweak existing proof of concept code, including tools like SmilingKiller and TfSysMon Killer. The third are cybercriminals who sell these tools on underground markets as a service, including DemoKiller, ABYSSWORKER, and CardSpaceKiller.

Not every tool in this space depends on drivers. ESET also found script based tools that use normal administrative commands such as taskkill, net stop, and sc delete. These commands can stop processes and services linked to security products. Some variants also combine scripting with Windows Safe Mode. ESET said Safe Mode loads only a small part of the operating system, and security products usually are not included. That gives malware a better chance to disable protection. But it is noisy. It requires a reboot, which makes it risky and less reliable in unknown environments, so ESET said it is seen only rarely in the wild.

A third category includes anti rootkit tools. ESET pointed to legitimate utilities such as GMER, HRSword, and PC Hunter. These tools offer a simple interface that can be abused to terminate protected processes or services. A newer fourth category is made up of driverless EDR killers such as EDRSilencer and EDR Freeze. ESET said these do not need a vulnerable driver. Instead, they block outbound traffic from EDR products and can push the security tool into a coma like state.

ESET said this trend shows where the real effort is going. “Attackers aren’t putting much effort into making their encryptors undetected,” the company said. “Rather, all the sophisticated defense evasion techniques have shifted to the user mode components of EDR killers. This trend is most visible in commercial EDR killers, which often incorporate mature anti analysis and anti detection capabilities.”

For defenders, the message is clear. Blocking commonly abused drivers from loading is an important control, but it is not enough on its own. ESET said EDR killers usually appear at the final stage of an attack, just before encryption starts. If defenders stop one tool, attackers can often swap in another.

That means organizations need layered defenses. They need to monitor for suspicious driver loads, unusual service changes, Safe Mode abuse, and command line activity tied to stopping security tools. They also need detection that can catch behavior across the full attack chain, from initial access to privilege escalation and defense evasion.

ESET summed up the problem simply. “EDR killers endure because they’re cheap, consistent, and decoupled from the encryptor,” the company said. That makes them useful for ransomware developers and affiliates alike. And as long as signed vulnerable drivers remain available, attackers will keep trying to use them.

#CyberSecurity #Ransomware #EDR #BYOVD #EndpointSecurity

#Cybercrime #Malware