By rssfeeds-admin 
According to a recent technical analysis by ESET Research and Senior Malware Researcher Jakub Souček, these evasion tools have become a predictable, standard phase in modern ransomware intrusions.
Ransomware encryptors are inherently noisy because they must rapidly modify a massive number of files. Making such destructive malware undetectable is incredibly difficult.
Instead of creating complex encryptors that actively evade detection, attackers prefer to deploy external tools that turn off security software beforehand. This approach keeps their ransomware payloads simple, stable, and highly effective.
The Expanding EDR Killer Landscape
ESET researchers currently track almost 90 different EDR killers actively used in the wild by various ransomware operations.
The dominant evasion method remains the Bring Your Own Vulnerable Driver (BYOVD) technique. In a typical BYOVD scenario, an attacker drops a legitimate but vulnerable driver onto a compromised machine, installs it, and then exploits it to terminate protected processes.
Analysts identified 54 BYOVD-based tools abusing 35 distinct vulnerable drivers. However, the threat landscape is expanding far beyond simple vulnerable drivers.
Today, attackers are deploying script-based tools, misusing legitimate anti-rootkit software, and utilizing fully driverless methods to silence security products before the encryption process even begins.
While some actors still rely on basic administrative scripts leveraging commands like taskkill or Windows Safe Mode, a much more concerning trend is the malicious use of legitimate anti-rootkit solutions.
Tools such as GMER and PC Hunter are frequently abused. Because these administrative utilities possess legitimate kernel-level access and feature user-friendly interfaces, attackers with minimal technical skills can easily use them to terminate protected security processes.
Additionally, a new class of driverless EDR killers is quickly gaining popularity. Tools like EDRSilencer and EDR-Freeze actively block network communications or freeze EDR processes without ever interacting with the Windows kernel.
This driverless approach makes threat detection and defense significantly more challenging for standard enterprise security teams.
The creation and distribution of EDR killers fall into three distinct categories across the cybercrime ecosystem. First, closed ransomware groups develop in-house proprietary tools.
Groups like Embargo, DeadLock, and Warlock maintain strict control over their toolsets. Warlock has experimented heavily, abusing at least nine different drivers over time, and regularly deploys multiple EDR killers per intrusion to ensure success.
Second, many attackers modify publicly available proof-of-concept code. Repositories like BlackSnufkin’s BYOVD are frequently forked and altered to bypass basic signatures. Third, a growing underground market now offers commercial “EDR killer as a service” tools.
Tools like DemoKiller, AbyssKiller, and CardSpaceKiller are actively sold to affiliates of major ransomware operations like Qilin, Medusa, and Akira.
Flaws in Threat Attribution
ESET highlights a critical flaw in current threat intelligence: driver-centric attribution is often highly misleading.
Because independent affiliates, not the core ransomware operators, usually select and deploy these EDR killers, the same vulnerable driver might appear across completely unrelated ransomware strains. This makes driver-based tracking an unreliable metric for grouping threat actors.
To defend against the rising threat of EDR killers, organizations must implement robust, layered security postures.
Defenders should deploy strict application control policies to block known vulnerable drivers and unauthorized anti-rootkit utilities. Organizations cannot rely on a single layer of defense.
Furthermore, security teams must monitor for unusual administrative commands that attempt to turn off services and hunt for anomalous network blocking behaviors associated with emerging driverless evasion tools.
Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google
The post Ransomware Groups Increasingly Turn to EDR Killers Outside Vulnerable Driver Tactics appeared first on Cyber Security News.
Discover more from RSS Feeds Cloud
Subscribe to get the latest posts sent to your email.