[ad_1]
In recent years, endpoint detection and response (EDR) killers have become a standard weapon in modern ransomware attacks. Before launching an encryptor, attackers gain elevated privileges and deploy tools to turn off security protections.
While the “Bring Your Own Vulnerable Driver” (BYOVD) technique remains the most common method, cybercriminals are increasingly adopting new approaches, such as abusing legitimate anti-rootkit utilities or using driverless methods to suspend EDR software.
ESET researchers recently analyzed nearly 90 active EDR killers and found that these tools are favored for their predictable, consistent behavior.
Ransomware operators prefer EDR killers because hiding the actual encryptor malware is difficult and time-consuming. Encryptors are inherently noisy since they must modify many files quickly.
Instead of constantly updating encryptors to evade detection, attackers use external EDR killers to wipe out security layers right before encryption begins unthinkingly. This plug-and-play approach keeps the encryptor simple and ensures a reliable attack chain.
The Shift To Diverse EDR Disruption Tactics
While BYOVD tools dominate the landscape by exploiting known vulnerable drivers to terminate protected processes, threat actors are heavily diversifying their methods.
Some low-skill attackers use basic scripts with built-in commands like “taskkill” or leverage Windows Safe Mode, though these methods are noisy and less reliable.
More commonly, attackers abuse legitimate anti-rootkit tools, such as GMER or PC Hunter. These programs were originally designed to remove kernel-level threats but are now weaponized by affiliates to shut down security services manually.
A growing trend involves driverless EDR killers, which avoid the kernel entirely. Tools like EDRSilencer block communication between the endpoint and the security backend, while tools like EDR-Freeze force security processes to become unresponsive.
However, most attackers modify publicly available proof-of-concept (PoC) code. Threat actors often tweak noncritical components, like debugging messages or programming languages, while keeping the core exploitation logic intact.
Evasion Techniques and Defensive Strategies
To defend against these evolving threats, organizations must look beyond simply blocking vulnerable drivers. While preventing a known vulnerable driver from loading is a necessary step, it often happens too late in the attack chain.
| SHA-1 | Filename | Detection | Description |
|---|---|---|---|
| 54547180A99474B0DBA289D92C4A8F3EEA78B531 | 2Gk8.exe | Win32/Loader.Lycaon.Y.gen | AbyssKiller EDR killer. |
| 75F85CAEA52FE5A124FA77E2934ABD3161690ADD | smuot.sys | Win64/Rootkit.Agent.DX | The ABYSSWORKER rootkit. |
| 002573D80091F7F8167BCBDA3A402B85FA915F19 | lasdjfioasdjfioer.exe | Win64/HackTool.EDRSilencer. |
By the time a driver is blocked, we live security the attacker already has high privileges and is seconds away from deploying the ransomware. Furthermore, overly aggressive driver blocking can disrupt legitimate business software.
A successful defense requires a multilayered prevention strategy that detects and stops the EDR killer before it executes, ensuring that security controls remain active throughout the entire intrusion attempt.
Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google.
[ad_2]
