Ransomware gangs are rapidly expanding their use of EDR killers, moving beyond vulnerable drivers to a broader mix of scripts, anti‑rootkits, and driverless techniques.
The company’s latest telemetry-backed study tracks almost 90 distinct EDR killers actively used in the wild. It warns that these tools have become a predictable, standard stage in modern ransomware operations.
In a typical intrusion, attackers first gain high privileges, then launch an EDR killer to blind or cripple endpoint defenses before deploying the ransomware encryptor.
The study counts almost 90 EDR killers in active use, including 54 BYOVD-based tools abusing 35 vulnerable drivers, along with script-based and anti‑rootkit utilities.
Crucially, ESET stresses that affiliates, not core ransomware operators, typically choose which EDR killer to use, meaning larger affiliate pools naturally produce more diverse tooling.
ESET notes that affiliates prefer this short, reliable disruption window to constantly re‑engineering encryptors to evade detection.
This division of labor also means that focusing only on encryptor families hides important relationships between tooling clusters and actors.
Beyond vulnerable drivers
BYOVD remains the dominant technique: attackers install a legitimate but vulnerable kernel driver and then exploit it to terminate protected processes or turn off security callbacks.
However, ESET’s mapping of the landscape shows attackers increasingly abusing legitimate anti‑rootkit tools such as GMER, HRSword, and PC Hunter to kill security processes through their own high‑privilege drivers and GUIs.
At the same time, a small but growing class of driverless EDR killers is emerging, using tools like EDRSilencer and EDR-Freeze to block EDR communications or freeze agents without touching the kernel.
These techniques are attractive because they are publicly available, harder to detect with traditional driver‑focused controls, and have been adopted by ransomware actors within days of release.
ESET warns that driver‑centric analysis often misleads attribution because the same vulnerable driver appears in unrelated tools, and the same EDR killer can migrate across different drivers over time.
Drivers such as BdApiUtil.sys and TfSysMon.sys are reused across distinct codebases like dead‑av, TfSysMon‑Killer, DLKiller, Susanoo, and EDRKillShifter, despite separate development histories.
Commercialization further muddies the picture. EDR killers such as DemoKiller, AbyssKiller (built around the ABYSSWORKER rootkit and HeartCrypt packer), and CardSpaceKiller (often packed with VX Crypt) are sold or rented to multiple gangs including Qilin, Akira, Medusa, DragonForce, and others.
Packer‑as‑a‑service offerings like VX Crypt and HeartCrypt add another abstraction layer, providing strong obfuscation and anti‑analysis features that defenders must contend with.
AI’s role in EDR killer development
ESET also flags signs of AI-assisted development in some recent EDR killers. While there is no reliable forensic marker that definitively proves AI use, researchers highlight a Warlock-linked tool that prints a list of “possible fixes” and cycles through several common device names until it finds a working target behaviour reminiscent of generic AI‑generated boilerplate adapted for offensive use.
While there are many publicly available PoCs for EDR killers, one repository stands out: BlackSnufkin’s BYOVD.
This suggests AI is lowering the barrier to producing and iterating user‑mode components even as the set of abused drivers remains relatively small.
Defending only at the driver layer is no longer enough, ESET warns. Blocking known vulnerable drivers is essential, but it happens late in the kill chain by the time a driver load is blocked, the attacker already has high privileges and can simply switch tools.
Instead, ESET urges a prevention‑first, multi‑layered approach that aims to detect and disrupt EDR killers before they execute, combining hardening against BYOVD, monitoring for anti‑rootkit misuse, and telemetry‑driven hunting for driverless disruption attempts.
Weaknesses in driver signing enforcement, as seen in large‑scale abuse of Truesight.sys and the use of revoked or expired drivers such as EnPortv.sys, further complicate blanket blocking strategies.
In human‑operated ransomware intrusions, detections only have value if defenders respond swiftly and decisively at every step of the attack chain.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
