Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons

Social Media

Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons
Search the Site
Popular Searches:
technology Amazon AI
Recent Posts
Apple iOS 17 Scam Alerts Protect iPhone Users From Phishing
July 3, 2026
Former MEP Investigating Spyware Abuses Hacked With Pegasus
July 3, 2026
Critical WatchGuard Firebox OS Flaws Let Attackers Execute Code
July 3, 2026
Home/CyberSecurity News/Ransomware Gangs Use EDR Killers to Disable Security Products, ESET Warns
CyberSecurity News

Ransomware Gangs Use EDR Killers to Disable Security Products, ESET Warns

Key Takeaways Ransomware gangs are increasingly using sophisticated EDR killers to disable security products before launching attacks. The techniques extend beyond traditional Bring Your Own...

David kimber
David kimber
April 11, 2026 4 Min Read
32 0

Key Takeaways

  • Ransomware gangs are increasingly using sophisticated EDR killers to disable security products before launching attacks.
  • The techniques extend beyond traditional Bring Your Own Vulnerable Driver (BYOVD) methods to include driverless tools, custom scripts, and legitimate anti-rootkit utilities.
  • ESET Research has identified nearly 90 active EDR killers, with a significant shift towards driverless methods that are harder to detect.
  • The EDR killer market is maturing, with proprietary tools, modified open-source code, and “EDR killer as a service” offerings prevalent among threat actors.
  • Organizations must focus on behavioral detection of security tampering rather than solely tracking specific vulnerable drivers to counter this evolving threat.

Modern ransomware operations routinely incorporate sophisticated tools designed to neutralize endpoint security solutions before initiating file encryption. This tactic ensures a higher success rate for threat actors by creating a window of vulnerability in targeted systems.

Table Of Content

  • Key Takeaways
  • Why EDR Killers are Preferred by Attackers
  • The EDR Killer Ecosystem
  • What You Should Do

A recent comprehensive report from ESET Research highlights a significant evolution in this threat landscape. While the well-known “Bring Your Own Vulnerable Driver” (BYOVD) technique remains prevalent, attackers are increasingly adopting driverless methods, custom command-line scripts, and even weaponizing legitimate anti-rootkit utilities to disable security defenses.

Why EDR Killers are Preferred by Attackers

Rather than continuously adapting ransomware encryptors to evade detection, threat actors find it more efficient to first disable security software. EDR killers offer a reliable and cost-effective solution, providing attackers with a predictable environment to deploy their inherently noisy encryption payloads without immediate interference.

Susanoo EDR killer’s loading screen (Source: EST)
Susanoo EDR killer’s loading screen (Source: ESET)

ESET’s analysis reveals an interesting dynamic: the choice of EDR killer often rests with ransomware affiliates rather than the core ransomware-as-a-service operators. This decentralized decision-making fosters considerable diversity in tooling, as affiliates select various EDR killers based on their specific intrusion requirements and technical proficiency.

Although BYOVD, which exploits vulnerable kernel drivers, remains the most common method, the technology underpinning EDR killers is undergoing rapid expansion. ESET researchers are actively monitoring nearly 90 distinct EDR killers in circulation, with 54 of these leveraging BYOVD to exploit 35 different vulnerable drivers.

Code similarities between kill-floor (Source: EST)
Code similarities between kill-floor (Source: ESET)

Attackers with lower skill sets may resort to simple command scripts or rebooting systems into Windows Safe Mode to bypass security. More advanced affiliates, however, are weaponizing legitimate anti-rootkit programs like GMER and PC Hunter. These tools, originally designed to remove deep-kernel malware, possess elevated privileges that make them ideal for terminating active security processes.

The advertisement for DemoKiller (Source: EST)
The advertisement for DemoKiller (Source: ESET)

A particularly concerning development is the rise of driverless EDR killers. Tools such as EDRSilencer and EDR-Freeze operate without needing to interact with the system kernel. Instead, they disrupt network communication between the endpoint and the security backend or force EDR software into a frozen state. These methods pose a greater challenge for network defenders to detect because they do not rely on traditional driver vulnerabilities.

The EDR Killer Ecosystem

ESET’s investigation categorizes the developers of these malicious tools into three primary groups. First, closed groups like Embargo, DeadLock, and Warlock develop their proprietary EDR killers from scratch. Researchers suspect that groups such as Warlock may be employing Artificial Intelligence to aid in the development and continuous updating of their EDR killer code.

Second, many attackers modify publicly available proof-of-concept (PoC) code. Open repositories provide readily available templates that attackers can easily adapt by changing programming languages or implementing simple code obfuscation techniques.

Finally, a burgeoning underground market offers “EDR killer as a service.” Commercial tools are actively sold on dark web forums to affiliates of major ransomware gangs, often accompanied by customer support.

The widespread trading and sharing of these tools present a significant challenge for cybersecurity defenders. Analyzing a specific vulnerable driver is no longer sufficient to identify a particular ransomware gang, as unrelated tools may exploit the same driver, and a single threat group might utilize multiple drivers across different attacks.

As the EDR killer market continues to mature and commercialize, organizations must shift their focus from merely tracking specific vulnerable drivers to detecting the behavioral indicators of security tampering.

What You Should Do

  • Implement robust behavioral detection mechanisms within your EDR solutions to identify anomalous process terminations, network communication disruptions, or attempts to freeze security software.
  • Regularly audit and monitor system logs for suspicious activity, especially around security product processes and kernel interactions.
  • Apply patches promptly to address known driver vulnerabilities, even if BYOVD is not the sole method of attack.
  • Educate security teams on the evolving tactics of EDR killers, including driverless techniques and the weaponization of legitimate tools.
  • Consider multi-layered security approaches that include network segmentation, least privilege principles, and strong access controls to limit the impact of successful EDR bypasses.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

AttackCybersecurityExploitMalwareransomwareSecurityThreat

Share Article

David kimber

David kimber

David is a penetration tester turned security journalist with expertise in mobile security, IoT vulnerabilities, and exploit development. As an OSCP-certified security professional, David brings hands-on technical experience to his reporting on vulnerabilities and security research. His articles often feature detailed technical analysis of exploits and provide actionable defense recommendations. David maintains an active presence in the security research community and has contributed to multiple open-source security tools.

Previous Post

AI-Powered Phishing Attacks Target Government Agencies

Next Post

Google Chrome Gets Device-Bound Sessions to Prevent Cookie Theft

No Comment! Be the first one.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Popular Posts
AI Used in Ticketmaster Attack to Score Free Tickets
July 3, 2026
Anthropic Details Claude 3.5 Sonnet Safeguards and Jailbreak Framework
July 3, 2026
Google Disrupts NetNut Residential Proxy Botnet Exploiting 2 Million Devices
July 3, 2026
Top Authors
Marcus Rodriguez
Marcus Rodriguez
Jennifer sherman
Jennifer sherman
Emy Elsamnoudy
Emy Elsamnoudy
Let's Connect
156k
2.25m
285k

Related Posts

Jennifer sherman
By Jennifer sherman
Threats

GlassWorm Attacks macOS via Malicious VS Code…

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Attacks

ClickFix Attack Hides Malicious Code via Stegan Security

January 1, 2026
Sarah simpson
By Sarah simpson
Vulnerabilities

MongoBleed Detector Tool Released to Detect MongoDB Vulnerability(CVE-2025-14847)

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Breaches

Conti Ransomware Gang Leaders & Infrastructure Exposed

January 1, 2026
Hackers News Hackers News
  • [email protected]

Quick Links

  • Contact Us
  • Privacy Policy
  • Terms of service

Categories

Attacks
Breaches
Comparisons
CyberSecurity News
Threats
Vulnerabilities

Let's keep in touch

receive fresh updates and breaking cyber news every day and week!

All Rights Reserved by HackersRadar ©2026

Follow Us