Ransomware actors are significantly expanding their tactics to disable endpoint security, moving beyond the traditional exploit of vulnerable drivers to neutralize defenses before deploying file-encrypting payloads. This evolution, detailed in recent security research, indicates a sophisticated shift in how attackers approach detection evasion, making EDR killers a critical component in modern cyberattacks.
For years, the Bring Your Own Vulnerable Driver (BYOVD) technique was the go-to method for ransomware groups to gain an advantage by disabling security software. However, threat actors are now employing a more diverse arsenal, including script-based tools, the misuse of legitimate anti-rootkit software, and entirely driverless methods to achieve the same goal: silencing protective measures.
Detection Evasion: Where the Real Sophistication Lives
The primary motivation behind this expanded approach to EDR killers is to create a brief but reliable window of opportunity for the ransomware encryptor to operate without interruption. Rather than investing significant time and resources into making encryptors undetectable, attackers find it more efficient to simply destroy the security protections in place. This strategy elevates EDR killers to a central role in almost every contemporary ransomware campaign.
ESET’s telemetry and real-world incident investigations confirm that this trend is accelerating, affecting both large and small ransomware operations. Analysts have identified and tracked approximately 90 EDR killers currently in active use, representing a wide spectrum of ransomware gangs. Of these, 54 are BYOVD-based tools leveraging 35 distinct vulnerable drivers, while 7 are script-based and 15 exploit legitimate anti-rootkit or readily available software.
Furthermore, the research highlights the maturation of the EDR killer landscape into a structured, commercially driven market. These tools are bought, sold, and frequently adapted to target a broad range of security vendors, signifying a professionalization within the cybercrime ecosystem. The consequences for victims are severe, as attacks can now commence with security tools already rendered inoperable.
Prominent ransomware groups such as Akira, Medusa, Qilin, RansomHouse, and DragonForce have all been observed utilizing commercial EDR killers procured from underground marketplaces. One such commercially sold tool, AbyssKiller, which combines the ABYSSWORKER rootkit with a HeartCrypt-packed loader, has emerged as one of the most frequently detected commercial EDR killers in the wild. Another tool, CardSpaceKiller, consistently appears in attacks attributed to Akira, Medusa, and MedusaLocker, often packed using the VX Crypt packer-as-a-service.
Unlike encryptors, whose sole focus is file encryption, EDR killers have become the principal means of evading detection in ransomware operations. Attackers are directing their technical ingenuity towards disrupting security software, recognizing it as a simpler and more dependable approach than attempting to make their encryption payloads stealthy. This division of labor has led to the development of a class of tools that are both potent and accessible, even to adversaries with limited technical expertise.
A common methodology involves separating the EDR killer tool from the driver it exploits, delivering them as independent components. The attacker manually installs the driver first, verifying its successful loading, before executing the EDR killer. This ensures that the attack vector for disabling security is properly established.
Commercial tools frequently employ packers like VX Crypt and HeartCrypt, incorporating structural obfuscation, anti-virtual machine behaviors, and continuous repacking to thwart static detection methods. Code protectors such as VMProtect and Themida are also regularly utilized. Some attackers go further by storing encrypted drivers or shellcode in separate files on disk, thus keeping critical elements hidden from security analysts.
SmilingKiller, a tool observed during LockBit and Dire Wolf intrusions, employs control-flow flattening to obfuscate its code, making analysis more challenging. CardSpaceKiller leverages call-by-hash resolution and string obfuscation, while EDRKillShifter, a tool developed by the now-disbanded RansomHub group, employs password protection for key segments of its code.
The Warlock gang, in particular, has been noted for deploying a multitude of EDR killers during intrusions until one proves effective. Recent samples from this group exhibit code patterns consistent with AI-assisted code generation, suggesting evolving development methodologies. This adaptability underscores the dynamic nature of the threat landscape.
In response to these evolving threats, organizations should view driver blocking as a necessary but insufficient initial defensive measure. Security teams are advised to monitor for suspicious driver installation events and maintain blocklists for known vulnerable drivers. A layered detection strategy, potentially involving a managed detection and response (MDR) provider or an internal Security Operations Center (SOC) team, is crucial for maintaining visibility and response capabilities as attackers adapt in real time.
Restricting high-privilege access and implementing robust network segmentation can significantly reduce the operational windows available to attackers for deploying these tools. Maintaining strong endpoint telemetry is also vital, ensuring that defenders retain visibility into system activities even when individual security layers are compromised.