Exploring the Rise of Endpoint Detection and Response (EDR) Killers
An in-depth analysis of endpoint detection and response (EDR) killers has uncovered that 54 of these malicious programs employ a technique called bring your own vulnerable driver (BYOVD), exploiting a total of 35 vulnerable drivers.
EDR killers have become a prevalent tool in ransomware attacks, allowing threat actors to disable security software before launching file-encrypting malware. This tactic is used to evade detection and enhance the success rate of ransomware deployments.
ESET researcher Jakub Souček highlighted the significance of EDR killers in ransomware operations, noting that encryptors are inherently noisy and challenging to make undetectable. By using EDR killers to disable security controls, attackers simplify the deployment of ransomware and increase the chances of successful encryption.
These specialized tools act as external components that disable security measures before executing ransomware, ensuring a streamlined and effective attack. While some EDR killers operate separately from ransomware modules, others combine both functionalities into a single binary, as seen in cases like Reynolds ransomware.
The majority of EDR killers leverage legitimate but vulnerable drivers to gain elevated privileges and achieve their objectives. Among the nearly 90 EDR killer tools identified by ESET, more than half employ the BYOVD technique due to its reliability and effectiveness.
Bitdefender explains that BYOVD attacks aim to gain kernel-mode privileges, allowing attackers unrestricted access to system memory and hardware. By exploiting vulnerabilities in reputable drivers, threat actors can bypass security mechanisms and carry out malicious activities.
Threat actors behind BYOVD-based EDR killers fall into three main categories:
- Closed ransomware groups like DeadLock and Warlock that operate independently
- Attackers who modify existing proof-of-concept code to create tools like SmilingKiller and TfSysMon-Killer
- Cybercriminals who sell EDR killers on underground forums as a service, such as DemoKiller, ABYSSWORKER, and CardSpaceKiller
In addition to BYOVD tactics, ESET identified script-based tools that use administrative commands to disrupt security products and services. Some variants combine scripting with Windows Safe Mode to evade detection and disable protection mechanisms.
Another category of EDR killers includes anti-rootkits that utilize legitimate utilities like GMER and HRSword to terminate processes and services. A newer class of driverless EDR killers such as EDRSilencer and EDR-Freeze block outbound traffic from EDR solutions, rendering them inactive.
ESET emphasized that while encryptors are not always designed to be undetectable, EDR killers focus on evading detection through sophisticated defense-evasion techniques. Commercial EDR killers often incorporate anti-analysis and anti-detection features to bypass security measures.
Protecting against ransomware and EDR killers involves blocking vulnerable drivers from loading and implementing layered defenses and detection strategies. As EDR killers are executed just before launching ransomware, organizations must be vigilant at every stage of the attack lifecycle.
EDR killers continue to pose a threat due to their affordability, consistency, and ability to disrupt security measures effectively. By understanding the tactics used by threat actors and implementing robust security measures, organizations can mitigate the risk posed by EDR killers and ransomware attacks.
