EDR Killers Exploit 35 Vulnerable Drivers to Disable Security Software

A significant trend in ransomware intrusions involves the use of "EDR killer" programs designed to neutralize Endpoint Detection and Response (EDR) solutions before deploying file-encrypting malware. ESET research reveals that 54 different EDR killers exploit 35 vulnerable drivers using "bring your own vulnerable driver" (BYOVD) techniques. These tools abuse vulnerable drivers to gain kernel-mode privileges (Ring 0), providing unrestricted access to system memory and hardware. This allows attackers to terminate EDR processes, disable security tools, and tamper with kernel callbacks. EDR killers are developed by closed ransomware groups, attackers adapting existing proof-of-concept code, and cybercriminals selling such tools on underground marketplaces. Organizations must implement driver signature verification, maintain updated driver blocklists, and deploy defense-in-depth strategies to detect and prevent these sophisticated evasion techniques.