54 EDR Killer Tools Exploit Vulnerable Drivers to Disable Security Software

Ransomware intrusions increasingly involve 'EDR killer' programs designed to neutralize security software before deploying file-encrypting malware. ESET research reveals that 54 EDR killers abuse 35 vulnerable drivers using the bring-your-own-vulnerable-driver (BYOVD) technique. These tools exploit legitimate but vulnerable drivers to gain kernel-mode privileges (Ring 0), allowing them to disable security tools, tamper with kernel callbacks, and undermine endpoint protections. This makes ransomware detection significantly more challenging. Some EDR killers are script-based or utilize anti-rootkits, while newer variants like EDRSilencer and EDR-Freeze block outbound traffic from EDR solutions to prevent alert transmission. Organizations should implement driver allowlisting policies, enable Windows Defender Application Control (WDAC) or similar technologies, monitor for suspicious driver loading activity, and maintain offline backups. Security teams should also ensure their EDR solutions can detect BYOVD attacks and implement defense-in-depth strategies that don't rely solely on endpoint protection.