54 EDR Killers Bypass Security Using 35 Signed Driver Flaws
▼ Summary
– A new analysis reveals that 54 EDR killer programs use the BYOVD technique, abusing 35 legitimate but vulnerable drivers to gain kernel-level privileges and disable security software.
– These tools are a common precursor in ransomware attacks, allowing threat actors to neutralize endpoint defenses before deploying file-encrypting malware, keeping the ransomware itself simpler and more stable.
– The primary developers of BYOVD-based EDR killers are closed ransomware groups, attackers modifying existing code, and cybercriminals selling such tools as a service on underground marketplaces.
– Other EDR killer categories include script-based tools that use administrative commands, anti-rootkit utilities, and emerging driverless tools that block EDR traffic to disable protections.
– Defending against these threats requires layered security strategies, as blocking specific drivers is insufficient; attackers can easily switch tools if one method fails at the final attack stage.
A recent cybersecurity analysis has uncovered a significant threat vector used to disable critical security software. The investigation found that 54 distinct Endpoint Detection and Response (EDR) killer programs are actively exploiting a technique known as Bring Your Own Vulnerable Driver (BYOVD). These malicious tools abuse vulnerabilities in a total of 35 different digitally signed drivers, all from legitimate hardware and software vendors, to gain deep system access and neutralize security controls before deploying ransomware.
These EDR killers have become a staple in ransomware attacks, particularly those operated under a Ransomware-as-a-Service (RaaS) model. They serve a specific purpose: to quietly disable antivirus and EDR solutions, clearing the path for the file-encrypting malware that follows. Security researchers note that creating a stealthy ransomware encryptor itself is difficult because its core function—rapidly modifying countless files—is inherently noisy and easy for systems to detect. By offloading the evasion work to a separate EDR killer component, ransomware developers keep their encryptors simpler and more stable, while affiliates gain a reliable tool to dismantle defenses.
The BYOVD method is especially popular due to its effectiveness. Attackers cannot typically load their own malicious drivers because modern Windows systems require drivers to be digitally signed. Instead, they locate old, legitimate drivers from reputable companies that contain unpatched security flaws. By “bringing” these vulnerable but signed drivers to a target system, attackers can exploit the flaws to gain kernel-mode privileges, also known as Ring 0 access. This highest level of system authority allows them to terminate security processes, tamper with system callbacks, and completely undermine endpoint protections, all under the guise of a trusted component.
The development of these tools is primarily driven by three groups. The first includes closed ransomware operations like DeadLock and Warlock, which create and use their own tools internally. The second consists of individual attackers who modify and repurpose existing public proof-of-concept code, creating variants such as SmilingKiller. The third, and perhaps most prolific, are cybercriminals who commercially market EDR killers on underground forums, offering tools like DemoKiller and ABYSSWORKER as a paid service to other threat actors.
Beyond driver-based attacks, security firms have identified other methods. Some attackers use simple script-based tools that run built-in Windows administrative commands—`taskkill`, `net stop`—to stop security services. A few advanced variants even force a reboot into Windows Safe Mode, where most security software does not load, though this noisy tactic is riskier and less common. Another category involves repurposing legitimate anti-rootkit utilities like GMER, which provide an interface to terminate protected processes. A newer, emerging class includes “driverless” EDR killers such as EDRSilencer, which work by blocking all network traffic from security solutions, effectively putting them into an unresponsive coma.
This shift highlights a broader trend in cybercrime. Sophisticated evasion techniques are now concentrated in these user-mode EDR killers rather than in the ransomware encryptors themselves. Commercial EDR killers, in particular, often incorporate mature anti-analysis and anti-detection features, making them potent and reusable tools for affiliates.
Defending against this threat requires a multi-layered approach. While blocking known vulnerable drivers from loading is a necessary step, it is not sufficient on its own. Since EDR killers are deployed at the final stage of an attack, just before ransomware execution, a failed block may simply prompt the attacker to switch to another tool. Therefore, organizations must implement proactive monitoring and detection strategies across the entire attack chain. The persistence of EDR killers is driven by their practicality: they are cheap, reliable, and separate from the ransomware payload, providing an easy-to-use utility for bypassing defenses and a convenient solution for encryptor developers who no longer need to focus on stealth.
(Source: thehackernews.com)