Ransomware Gangs Use EDR Killers to Disable Security Products, ESET Warns
Key Takeaways Ransomware gangs are increasingly using sophisticated EDR killers to disable security products before launching attacks. The techniques extend beyond traditional Bring Your Own...
Key Takeaways
- Ransomware gangs are increasingly using sophisticated EDR killers to disable security products before launching attacks.
- The techniques extend beyond traditional Bring Your Own Vulnerable Driver (BYOVD) methods to include driverless tools, custom scripts, and legitimate anti-rootkit utilities.
- ESET Research has identified nearly 90 active EDR killers, with a significant shift towards driverless methods that are harder to detect.
- The EDR killer market is maturing, with proprietary tools, modified open-source code, and “EDR killer as a service” offerings prevalent among threat actors.
- Organizations must focus on behavioral detection of security tampering rather than solely tracking specific vulnerable drivers to counter this evolving threat.
Modern ransomware operations routinely incorporate sophisticated tools designed to neutralize endpoint security solutions before initiating file encryption. This tactic ensures a higher success rate for threat actors by creating a window of vulnerability in targeted systems.
Table Of Content
A recent comprehensive report from ESET Research highlights a significant evolution in this threat landscape. While the well-known “Bring Your Own Vulnerable Driver” (BYOVD) technique remains prevalent, attackers are increasingly adopting driverless methods, custom command-line scripts, and even weaponizing legitimate anti-rootkit utilities to disable security defenses.
Why EDR Killers are Preferred by Attackers
Rather than continuously adapting ransomware encryptors to evade detection, threat actors find it more efficient to first disable security software. EDR killers offer a reliable and cost-effective solution, providing attackers with a predictable environment to deploy their inherently noisy encryption payloads without immediate interference.

ESET’s analysis reveals an interesting dynamic: the choice of EDR killer often rests with ransomware affiliates rather than the core ransomware-as-a-service operators. This decentralized decision-making fosters considerable diversity in tooling, as affiliates select various EDR killers based on their specific intrusion requirements and technical proficiency.
Although BYOVD, which exploits vulnerable kernel drivers, remains the most common method, the technology underpinning EDR killers is undergoing rapid expansion. ESET researchers are actively monitoring nearly 90 distinct EDR killers in circulation, with 54 of these leveraging BYOVD to exploit 35 different vulnerable drivers.

Attackers with lower skill sets may resort to simple command scripts or rebooting systems into Windows Safe Mode to bypass security. More advanced affiliates, however, are weaponizing legitimate anti-rootkit programs like GMER and PC Hunter. These tools, originally designed to remove deep-kernel malware, possess elevated privileges that make them ideal for terminating active security processes.

A particularly concerning development is the rise of driverless EDR killers. Tools such as EDRSilencer and EDR-Freeze operate without needing to interact with the system kernel. Instead, they disrupt network communication between the endpoint and the security backend or force EDR software into a frozen state. These methods pose a greater challenge for network defenders to detect because they do not rely on traditional driver vulnerabilities.
The EDR Killer Ecosystem
ESET’s investigation categorizes the developers of these malicious tools into three primary groups. First, closed groups like Embargo, DeadLock, and Warlock develop their proprietary EDR killers from scratch. Researchers suspect that groups such as Warlock may be employing Artificial Intelligence to aid in the development and continuous updating of their EDR killer code.
Second, many attackers modify publicly available proof-of-concept (PoC) code. Open repositories provide readily available templates that attackers can easily adapt by changing programming languages or implementing simple code obfuscation techniques.
Finally, a burgeoning underground market offers “EDR killer as a service.” Commercial tools are actively sold on dark web forums to affiliates of major ransomware gangs, often accompanied by customer support.
The widespread trading and sharing of these tools present a significant challenge for cybersecurity defenders. Analyzing a specific vulnerable driver is no longer sufficient to identify a particular ransomware gang, as unrelated tools may exploit the same driver, and a single threat group might utilize multiple drivers across different attacks.
As the EDR killer market continues to mature and commercialize, organizations must shift their focus from merely tracking specific vulnerable drivers to detecting the behavioral indicators of security tampering.
What You Should Do
- Implement robust behavioral detection mechanisms within your EDR solutions to identify anomalous process terminations, network communication disruptions, or attempts to freeze security software.
- Regularly audit and monitor system logs for suspicious activity, especially around security product processes and kernel interactions.
- Apply patches promptly to address known driver vulnerabilities, even if BYOVD is not the sole method of attack.
- Educate security teams on the evolving tactics of EDR killers, including driverless techniques and the weaponization of legitimate tools.
- Consider multi-layered security approaches that include network segmentation, least privilege principles, and strong access controls to limit the impact of successful EDR bypasses.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.



No Comment! Be the first one.