Rising Threats: An In-Depth Look into EDR Killers in Ransomware Attacks
A recent analysis conducted by esteemed cybersecurity firm ESET has unveiled alarming insights regarding endpoint detection and response (EDR) killers. This thorough investigation highlights that a total of 54 EDR killer tools utilize a malicious technique known as Bring Your Own Vulnerable Driver (BYOVD), exploiting 34 identified vulnerable drivers to compromise systems.
EDR killers have frequently emerged as critical players in the realm of ransomware attacks. These specialized programs allow attackers to neutralize security measures effectively, paving the way for the deployment of file-encrypting malware. The need for such evasion tactics mainly arises from the growing sophistication of ransomware, particularly within ransomware-as-a-service (RaaS) programs, which constantly update their encryptors to remain undetected.
According to Jakub Souček, a researcher at ESET, the evolution of ransomware demands that each new build operates under the radar, a process that is inherently complex and time-consuming. This need for stealth is exacerbated by the noisy nature of encryptors, which must modify numerous files within a brief timeframe, making their detection increasingly challenging.
EDR killers function as external components designed to disable security controls before the actual ransomware executes. This strategic separation keeps the encryption process straightforward and stable. However, there are instances where these EDR-killing functionalities are integrated with the ransomware modules in a singular binary form, as exemplified by the Reynolds ransomware.
Interestingly, the primary methodology of these EDR killers hinges on the exploitation of legitimate, albeit vulnerable, drivers. This tactic offers attackers elevated privileges, thereby granting them the means to achieve their objectives more efficiently. The analysis revealed that out of nearly 90 identified EDR killer tools, over half relied on the BYOVD approach, underscoring its efficacy and reliability.
The objective of a BYOVD attack is to attain kernel-mode privileges, often termed as Ring 0 access. This level of access equips attackers with unrestricted capabilities over system memory and hardware. Since unsigned malicious drivers cannot be installed directly, perpetrators exploit a legitimately signed driver (often from a trusted vendor or an outdated antivirus version) with known vulnerabilities.
Gaining kernel access allows cybercriminals to disable EDR processes, manipulating kernel callbacks to undermine endpoint protections effectively. In doing so, they exploit Microsoft’s driver trust model, relying on the fact that the target driver is both legitimate and signed, thus evading detection and defense mechanisms.
The analysis categorized the developers of BYOVD-based EDR killers into three primary groups:
-
Closed Ransomware Groups: This category includes factions like DeadLock and Warlock that operate independently and do not rely on affiliate networks.
-
Modified Proof-of-Concept Attackers: Individuals or groups who take existing proof-of-concept codes, such as SmilingKiller and TfSysMon-Killer, and adapt them for their own malicious activity.
- Cybercriminals in the Underground Market: Unscrupulous entities that promote these malicious tools for sale as a service, including offerings like DemoKiller, ABYSSWORKER, and CardSpaceKiller.
In addition, ESET’s findings indicated the existence of script-based tools utilizing built-in administrative commands (e.g., taskkill, net stop, or sc delete) aimed at disrupting the regular operations of security products and services. Some variants even combine these scripts with the Safe Mode of Windows, a minimal operating environment that typically does not load security solutions, further enabling the effectiveness of these attacks.
Another category encompasses anti-rootkit tools such as GMER, HRSword, and PC Hunter. These legitimate utilities can also be exploited to terminate protected processes or services, presenting another vulnerability for businesses to consider. Moreover, a new trend in the emergence of driverless EDR killers, such as EDRSilencer and EDR-Freeze, has been identified. These tools block outbound traffic from EDR solutions, effectively putting them in a state of paralysis, or “coma.”
ESET pointed out that attackers have diverted their focus away from making encryptors undetected. Instead, they concentrate on enhancing the user-mode components of EDR killers, utilizing sophisticated anti-detection and anti-analysis methods. This shift is particularly prevalent among commercial EDR killers, which often exhibit advanced evasion tactics.
To combat the rising tide of ransomware and EDR killers, cybersecurity experts advocate for the proactive blocking of commonly misused drivers. However, it is essential to note that EDR killers activate only at the final stage of an attack, just prior to launching the encryptor. Should detection systems fail at this critical juncture, attackers can swiftly pivot to alternative tools to achieve their objectives.
Thus, organizations must implement layered defense strategies and robust detection mechanisms to monitor every stage of the attack lifecycle actively. ESET concluded that EDR killers persist due to their cost-effectiveness, high reliability, and decoupled nature from the encryptor itself. This situation presents a dual advantage for encryptor developers, who no longer need to disguise their malware, and affiliates, who are equipped with powerful tools to disrupt defenses leading to encryption.