Ransomware Threats Utilize Vulnerable Drivers to Evade Detection
An analysis of endpoint detection and response (EDR) killers has uncovered that 54 of them employ a tactic called bring your own vulnerable driver (BYOVD) by exploiting 34 vulnerable drivers.
These EDR killer programs are frequently used in ransomware attacks to disable security software before deploying file-encrypting malware, allowing attackers to avoid detection.
ESET researcher Jakub Souček highlighted the significance of EDR killers in ransomware operations, stating that creating undetectable encryptors can be time-consuming and challenging due to the inherently noisy nature of encryptors.
EDR killers serve as external tools that disable security controls before launching ransomware, simplifying the encryption process. However, some instances involve EDR termination and ransomware combined into a single binary, such as Reynolds ransomware.
A majority of EDR killers exploit legitimate yet vulnerable drivers to gain elevated privileges, with over half of the identified tools using BYOVD as a reliable technique.
Bitdefender explains that BYOVD attacks aim to gain kernel-mode privileges, allowing attackers to manipulate system memory and hardware using a vulnerable driver signed by a reputable vendor.
By leveraging kernel access, threat actors can bypass EDR processes, disable security tools, and undermine endpoint protections, exploiting Microsoft’s driver trust model.
Three types of threat actors develop BYOVD-based EDR killers: closed ransomware groups, attackers modifying existing code, and cybercriminals selling tools on underground markets.
- Closed ransomware groups like DeadLock and Warlock
- Attackers tweaking proof-of-concept code (e.g., SmilingKiller and TfSysMon-Killer)
- Cybercriminals offering tools as a service (e.g., DemoKiller, ABYSSWORKER, CardSpaceKiller)
Additionally, ESET identified script-based tools that disrupt security processes using administrative commands and variants combining scripting with Windows Safe Mode.
Another category of EDR killers includes anti-rootkits like GMER and PC Hunter, which terminate protected processes. A new class of driverless EDR killers like EDRSilencer block outbound traffic from EDR solutions.
According to ESET, attackers focus on developing sophisticated defense-evasion techniques in user-mode components of EDR killers, rather than making encryptors undetectable.
To counter ransomware and EDR killers, organizations must prevent commonly misused drivers from loading and implement layered defenses and detection strategies to monitor and mitigate threats.
EDR killers remain a popular choice for attackers due to their affordability, consistency, and ability to disrupt defenses before encryption, making them valuable tools for both encryptor developers and affiliates.
