ESET Research: A deep dive into EDR killers | #ransomware | #cybercrime

• EDR killers are a fundamental part of modern ransomware intrusions; affiliates prefer a short, reliable window to run encryptors rather than constantly modifying payloads.

• Affiliates, not operators, pick the EDR killers; larger affiliate pools lead to greater tooling diversity.

• EDR killers implement defense evasion techniques, while encryptors focus purely on encryption.

• ESET strongly suspects that AI assists with the development of some EDR killers, and researchers provide a concrete example with the Warlock gang.

• While BYOVD dominates, custom scripts, anti-rootkits, and driverless EDR killers are utilized as well.

BRATISLAVA, Slovakia, March 19, 2026 (GLOBE NEWSWIRE) — ESET Research releases its latest deep dive into the EDR killer ecosystem, disclosing how attackers abuse vulnerable drivers. ESET’s report presents telemetry-backed insights into the environment that move past the commonly seen driver-centric approach. It documents how affiliates, not operators, shape tooling diversity, and how codebases routinely reuse and swap drivers. EDR killers are a fundamental part of modern ransomware intrusions; as such, affiliates prefer a short, reliable window to run encryptors rather than constantly modifying payloads. Furthermore, ESET researchers assess that at least some recently observed EDR killers exhibit traits strongly suggestive of AI-assisted generation. Grounded in ESET telemetry and incident investigations, the research is based on the analysis and tracking of almost 90 EDR killers actively used in the wild.

In recent years, EDR killers have become one of the most commonly seen tools in modern ransomware intrusions: an attacker acquires high privileges, deploys such a tool to disrupt protection, and only then launches the encryptor. Besides the omnipresent Bring Your Own Vulnerable Driver (BYOVD) technique, ESET also sees attackers frequently abusing legitimate anti-rootkit utilities or using driverless approaches to block the communication of endpoint detection and response (EDR) software or suspend it in place. Those abused tools are not just plentiful, but they also behave predictably and consistently, which is precisely why affiliates reach for them.

“The landscape this research unveils is massive, ranging from endless forking of proofs of concept to complex professional implementations. Focusing on commercial EDR killers – advertised on the dark net – allows us to gain a better understanding of their customer base and spot otherwise hidden affiliations. In-house-developed EDR killers offer insight into the inner workings of closed groups. Furthermore, vibe coding is making matters even more complicated,” says ESET researcher Jakub Souček, who investigated the EDR killers.

To successfully encrypt data, ransomware encryptors need to evade detection. Nowadays, a wide range of mature evasion techniques is available, ranging from packing and code virtualization to sophisticated injection. However, ESET rarely sees any of these implemented in encryptors. Instead, ransomware attackers opt for EDR killers to disrupt security solutions right before encryptor deployment.

At the same time, EDR killers often rely on legitimate, yet vulnerable, drivers, making defense significantly more difficult without risking disruption of legacy or enterprise software. The result is a class of tools that offers kernel-level impact with minimal development effort, making these tools disproportionately powerful, given their simplicity.

That is why ESET emphasizes that, while preventing vulnerable drivers from loading is a crucial step in the line of defense, it is not an easy one due to several existing bypass techniques. This highlights why one should not rely only on that, and aim to disrupt EDR killers before they even get a chance to load the driver.

In fact, the simplest EDR killers don’t rely on vulnerable drivers or other advanced techniques. Instead, they abuse built-in administrative tools and commands. BYOVD techniques have become the hallmark of modern EDR killers: ubiquitous, reliable, and widely used. In a typical scenario, an attacker drops a legitimate, but vulnerable, driver onto the victim’s machine, installs the driver, and then runs malware that abuses the driver’s vulnerability. A smaller, but growing, class of EDR killers achieves its goals without touching the kernel at all. Instead of terminating EDR processes, these tools interfere with other critical features.

Finally, AI can now be considered the latest weapon in the EDR killers’ arsenals. Determining whether AI directly assisted in producing a specific codebase is often practically impossible. There is no definitive forensic marker that reliably distinguishes AI-generated code from human-written code, especially when attackers post-process or obfuscate it. However, ESET researchers assess that at least some recently observed EDR killers exhibit traits strongly suggestive of AI-assisted generation.

A clear example appears in an EDR killer recently deployed by the Warlock ransomware gang. The tool contains a section of code that not only prints a list of possible fixes, a pattern typical for AI-generated boilerplates, but also, instead of exploiting a specific driver, implements a trial-and-error mechanism that cycles through several unrelated, commonly abused device names until it finds one that works.

“A key observation is the division of labor in ransomware-as-a-service ecosystems. Operators typically supply the encryptor and supporting infrastructure, but EDR killer selection is left to affiliates. This means that the larger the affiliate pool, the more diverse the EDR killer tooling becomes,” explains Souček. “Defending against ransomware requires a fundamentally different mindset than defending against automated threats. Phishing emails, commodity malware, and exploit chains stop once detected and neutralized by security solutions; ransomware intrusions do not. They are interactive, human-driven operations, and intruders continually adapt to detections, tool failures, and environmental obstacles,” he adds.

For a more detailed analysis of EDR killers, check out the latest ESET Research blogpost “EDR killers explained: Beyond the drivers” on WeLiveSecurity.com. Make sure to follow ESET Research on Twitter (today known as X), BlueSky, and Mastodon for the latest news from ESET Research.

About ESET

ESET^® provides cutting-edge cybersecurity to prevent attacks before they happen. By combining the power of AI and human expertise, ESET stays ahead of emerging global cyberthreats, both known and unknown — securing businesses, critical infrastructure, and individuals. Whether it’s endpoint, cloud, or mobile protection, our AI-native, cloud-first solutions and services remain highly effective and easy to use. ESET technology includes robust detection and response, ultra-secure encryption, and multifactor authentication. With 24/7 real-time defense and strong local support, we keep users safe and businesses running without interruption. The ever-evolving digital landscape demands a progressive approach to security: ESET is committed to world-class research and powerful threat intelligence, backed by R&D centers and a strong global partner network. For more information, visit www.eset.com or follow our social media, podcasts and blogs.

CONTACT: Media contact: Emily Zwart ezwart@enterprisecanada.com (905) 515-9169