New Analysis Uncovers EDR Killers Leveraging Vulnerable Drivers in Ransomware Attacks
A recent in-depth analysis of endpoint detection and response (EDR) killers has unveiled alarming findings: more than half of these malicious tools utilize a strategy known as "bring your own vulnerable driver" (BYOVD). This tactic enables hackers to exploit a total of 35 vulnerable drivers, effectively bypassing security measures.
EDR killer programs have gained notoriety as significant players in ransomware attacks. These tools provide affiliates with the means to disable security software prior to the deployment of file-encrypting malware. This crucial first step is designed to evade detection mechanisms, allowing cybercriminals a clearer path to enacting their malicious strategies.
ESET researcher Jakub Souček shared insights in a report released through The Hacker News, explaining the pressures that ransomware gangs, particularly those operating under ransomware-as-a-service (RaaS) models, face. These groups frequently introduce new versions of their encrypting tools, making the task of remaining undetected particularly challenging due to the rapid changes and complexities involved. "More importantly, encryptors are inherently noisy; they need to modify numerous files in quick succession, so developing undetectable malware is a daunting challenge," he noted.
EDR killers function primarily as external components that can deactivate security features before the ransomware is initiated. This strategic separation allows for simpler and more stable ransomware builds, although some instances have seen EDR termination modules merged with ransomware components, as seen in the case of Reynolds ransomware.
Vulnerable drivers serve as the foundation for many EDR killers, granting elevated access privileges that are essential for carrying out attacks. In the findings unveiled by ESET, of the nearly 90 distinct EDR killer tools identified, over half employ the widely recognized BYOVD technique, a method favored for its reliability.
The nature of BYOVD attacks is particularly devious, as attackers aim for kernel-mode privileges, commonly referred to as Ring 0. At this level, the code enjoys unrestricted access to system memory and hardware. To navigate around restrictions against loading unsigned malicious drivers, attackers "bring" a legitimately signed driver—often from well-known vendors like hardware manufacturers or older antivirus software—that possesses a known vulnerability. This grants the attackers the necessary kernel access to shut down EDR processes, disable security measures, and manipulate kernel callbacks, effectively undermining endpoint protections.
The analysis highlights a diverse array of actors involved in the development of BYOVD-based EDR killers. This includes:
- Closed ransomware groups, such as DeadLock and Warlock, which operate independently and do not depend on affiliates.
- Cybercriminals who fork and modify existing code, examples being SmilingKiller and TfSysMon-Killer.
- Cybercriminals who market these EDR killing tools in underground marketplaces, including tools like DemoKiller, known as Бафомет, ABYSSWORKER, and CardSpaceKiller.
Adding to the complexity, ESET has identified script-based tools that utilize built-in administrative commands—such as taskkill, net stop, or sc delete—to disrupt the normal operation of security applications. Some advanced variants also merge scripting capabilities with Windows Safe Mode, exploiting the minimal operating environment that Safe Mode offers to bypass security checks effectively. Such tactics, however, are considered noisy due to the necessity of rebooting the system, making their occurrence less frequent in active cyber assaults.
Moreover, a third category of EDR killers has emerged: anti-rootkits, which encompass legitimate utilities like GMER, HRSword, and PC Hunter. These tools often feature user-friendly interfaces designed to terminate protected processes or services. A burgeoning class of driverless EDR killers has also appeared, including tools like EDRSilencer and EDR-Freeze, designed to obstruct outbound traffic from EDR solutions, effectively causing these programs to enter a "coma" state.
The report emphasizes a worrying trend. Instead of focusing on making their encryptors undetectable, attackers have shifted to enhancing the user-mode components of EDR killers. This adaptation is especially visible in commercial EDR killers, which increasingly incorporate sophisticated capabilities aimed at evading detection and analysis.
To confront this evolving threat landscape, cybersecurity experts assert that organizations must prioritize blocking commonly exploited drivers from being loaded into systems. However, as these EDR killers typically execute in the final stages—just before launching the encryptor—a successful breach at this point means that attackers can easily pivot to an alternative tool to accomplish their objectives.
The implications are profound; they suggest that organizations must implement layered defenses and active detection strategies to monitor, flag, contain, and respond to threats at every stage of the attack lifecycle. As emphasized by ESET, the allure of EDR killers remains strong due to their low cost, reliability, and the separation from the encryptors, allowing developers to concentrate less on stealthy encryptors and more on powerful disruption tools.