Cybercriminals Exploit 34 Vulnerable Drivers to Sabotage Security Tools and Enable Ransomware Attacks

A sweeping new analysis by cybersecurity firm ESET has exposed the alarming rise of endpoint detection and response (EDR) killers—specialized tools designed to sabotage enterprise security software before ransomware strikes. Researchers discovered that 54 distinct EDR killer programs are actively exploiting at least 34 vulnerable, yet digitally signed, Windows drivers through a tactic known as Bring Your Own Vulnerable Driver (BYOVD). This method grants attackers unrestricted kernel-level access, allowing them to disable antivirus suites, tamper with security callbacks, and neutralize defenses in as little as minutes—paving the way for file-encrypting malware to deploy undetected. The findings, outlined in a comprehensive report by ESET threat researcher Jakub Souček, reveal a rapidly evolving threat landscape where cybercriminals prioritize evasion over stealth, shifting sophisticated defense-evasion techniques to standalone tools rather than the ransomware payloads themselves.

How EDR Killers Are Weaponizing Signed Drivers to Bypass Security

The Mechanics of BYOVD Attacks and Kernel-Level Domination

Bring Your Own Vulnerable Driver (BYOVD) attacks exploit a fundamental trust model in Windows operating systems: digitally signed drivers from reputable vendors, even those with known vulnerabilities, are often allowed to load and execute with elevated privileges. Threat actors abuse this trust by hijacking these legitimate drivers to gain kernel-mode access—termed 'Ring 0'—where code operates with unrestricted access to system memory, CPU instructions, and hardware devices. This privilege escalation enables attackers to terminate critical EDR processes, delete security services, or manipulate kernel callbacks that monitor system activity.

The goal of a BYOVD attack is to gain kernel-mode privileges, often called Ring 0. At this level, code has unrestricted access to system memory and hardware. Since an attacker cannot load an unsigned malicious driver, they 'bring' a driver signed by a reputable vendor that has a known vulnerability.

According to Bitdefender’s threat analysis, BYOVD has emerged as a go-to tactic because it reliably evades detection. Most endpoint protection platforms (EPPs) and EDR solutions monitor user-mode activity but rarely inspect kernel-mode drivers for signs of abuse. This blind spot allows even outdated or compromised drivers—such as those bundled with old hardware installations or legacy antivirus software—to be repurposed as attack vectors. ESET’s investigation found that over half of the 54 EDR killers analyzed relied solely on BYOVD, underscoring its effectiveness and low cost in the cybercrime ecosystem.

Why Ransomware Groups Favor EDR Killers Over Stealthy Payloads

Ransomware operations, particularly those operating under ransomware-as-a-service (RaaS) models, face a persistent challenge: every new build of their encryptor must evade detection by security vendors. As Jakub Souček explained in his report, ransomware encryptors are inherently noisy because they must rapidly encrypt thousands of files across a network. This activity generates detectable signatures that antivirus engines quickly flag. To solve this problem, many RaaS affiliates and closed ransomware groups have outsourced the task of disabling defenses to specialized EDR killers.

Ransomware gangs, especially those with ransomware-as-a-service programs, frequently produce new builds of their encryptors, and ensuring that each new build is reliably undetected can be time-consuming. More importantly, encryptors are inherently very noisy (as they inherently need to modify a large number of files in a short period); making such malware undetected is rather challenging.

By decoupling the defense-disabling function from the ransomware payload, attackers can keep their encryptors simple, stable, and easily rebuilt. This modular approach enables affiliates to focus on maximizing encryption speed and coverage rather than obfuscation. Reynolds ransomware, for instance, has been observed integrating both EDR termination and file encryption into a single binary, though such cases remain less common due to increased complexity and maintenance overhead.

The Four Categories of EDR Killers and How They Operate

• BYOVD-based EDR killers that abuse signed vulnerable drivers to gain kernel access and disable security tools.
• Script-based tools using built-in commands like taskkill and net stop to terminate security processes without elevated privileges.
• Anti-rootkits such as GMER, HRSword, and PC Hunter, which provide GUI-based tools to kill protected security services.
• Driverless EDR killers like EDRSilencer and EDR-Freeze, which disrupt EDR functionality by blocking outbound traffic or inducing a 'coma' state.

ESET’s analysis categorizes EDR killers into four distinct types, each with unique operational trade-offs. The most prevalent are BYOVD-based tools, favored for their reliability and stealth. These include commercial-grade utilities marketed on underground forums under names like DemoKiller (also known as Бафомет), ABYSSWORKER, and CardSpaceKiller. These tools are often sold as services, allowing even low-skilled affiliates to purchase pre-built utilities for disabling corporate defenses.

Scripting and Safe Mode: Noisy but Effective in Targeted Attacks

Not all EDR killers rely on driver exploits. Some threat actors employ script-based tools that leverage native Windows commands—such as taskkill to terminate processes, net stop to halt services, or sc delete to remove security software entirely. These scripts are frequently delivered via phishing emails or trojanized installers and can be highly effective in environments with weak application control policies. A more aggressive variant combines scripting with forced reboots into Windows Safe Mode.

Since Safe Mode loads only a minimal subset of the operating system, and security solutions typically aren’t included, malware has a higher chance of disabling protection. At the same time, such activity is very noisy, as it requires a reboot, which is risky and unreliable in unknown environments. Therefore, it is seen only rarely in the wild.

While Safe Mode attacks are loud and detectable, they remain a viable tactic in targeted intrusions where attackers have prior knowledge of the target environment. The reboot requirement makes them less suitable for opportunistic campaigns but effective in highly coordinated attacks against specific enterprises.

Anti-Rootkits and Coma-State Tools: Silent Sabotage from Legitimate Utilities

A third category includes legitimate anti-rootkit utilities repurposed for malicious intent. Tools like GMER, HRSword, and PC Hunter were originally designed to detect and remove rootkits but now appear in attack chains to terminate protected security services through their graphical interfaces. These tools offer an intuitive way for attackers to disable endpoint protection without writing code, making them accessible even to unsophisticated actors.

Emerging in the past year are driverless EDR killers such as EDRSilencer and EDR-Freeze. These tools do not attempt to kill processes directly. Instead, they block outbound network traffic from EDR solutions or trigger a frozen, unresponsive state—essentially putting security software into a 'coma.' This approach avoids triggering process termination alerts while still rendering the EDR blind to subsequent malicious activity.

Who Uses EDR Killers? The Criminal Ecosystem Behind the Threats

The development and deployment of EDR killers span a diverse criminal ecosystem. Closed ransomware groups operating without affiliate networks—such as DeadLock and Warlock—have been observed integrating or commissioning EDR killers to streamline their operations. These groups prioritize speed and reliability over stealth, often running EDR killers minutes before encryption begins.

Meanwhile, cybercriminals with technical skills are forking and modifying existing proof-of-concept (PoC) tools like SmilingKiller and TfSysMon-Killer, releasing customized variants that target specific EDR products. These tweaked tools are then shared in underground communities or sold on dark web marketplaces.

The commercialization of EDR killers is perhaps the most concerning trend. Platforms and services such as DemoKiller (also known as Бафомет), ABYSSWORKER, and CardSpaceKiller are openly marketed as 'EDR termination utilities' with pricing tiers based on features and support. Some services even provide customer support and regular updates, reflecting a disturbing maturation of the cybercrime supply chain.

Why Organizations Must Adopt Layered Defenses to Thwart EDR Killers

The rise of EDR killers underscores a critical vulnerability in modern cybersecurity architectures: defenses designed to detect malware often fail to monitor their own disablers. Because EDR killers are executed just before the ransomware payload—typically in the final stage of an attack—they represent a blind spot in detection strategies. If an organization fails to block or detect an EDR killer at this stage, the threat actor can simply switch to an alternative tool or method, such as a different vulnerable driver or a script-based approach.

To mitigate this risk, organizations must adopt a layered defense strategy that spans the entire attack lifecycle. This includes pre-execution controls such as driver signature enforcement, application allowlisting, and behavioral monitoring to flag suspicious kernel activity. Post-execution detection relies on network monitoring to identify outbound traffic from EDR processes or unusual service disruptions.

Blocking Vulnerable Drivers: A Necessary but Insufficient Defense

One immediate mitigation is to block known vulnerable drivers from loading. Microsoft and security vendors maintain lists of drivers with known vulnerabilities that should be restricted. However, as ESET notes, this defense is reactive and incomplete. Attackers constantly rotate drivers or exploit zero-day vulnerabilities in signed software, making driver blocking a moving target. Moreover, EDR killers are modular—they can be replaced with script-based tools or anti-rootkits if driver-based methods fail.

The Broader Implications: A Shift in Cybercrime Tactics Toward Evasion

The widespread adoption of EDR killers signals a broader shift in ransomware and cybercrime strategies. Rather than investing in highly sophisticated, undetectable ransomware, threat actors are focusing their innovation on tools that disable defenses first. This decoupling reduces the complexity of ransomware development and allows affiliates to operate more efficiently. As Jakub Souček observed, 'Attackers aren’t putting much effort into making their encryptors undetected. Rather, all the sophisticated defense-evasion techniques have shifted to the user-mode components of EDR killers.'

This evolution reflects the commodification of cybercrime, where specialized tools and services are traded like commodities on underground forums. It also highlights the increasing professionalization of ransomware operations, which now resemble legitimate software development cycles with regular updates, customer support, and modular design.

Key Takeaways: What Every CISO and Security Team Needs to Know

• 54 distinct EDR killer tools are actively exploiting 34 vulnerable, signed drivers via BYOVD attacks to gain kernel-level control and disable security defenses.
• Ransomware groups, especially RaaS affiliates, use EDR killers to neutralize detection before deploying file-encrypting malware, reducing the need for stealthy payloads.
• EDR killers fall into four categories: BYOVD-based tools, script-based utilities, anti-rootkit software, and driverless 'coma-state' disruptors like EDRSilencer.
• Commercial EDR killers are now sold as services on underground forums, reflecting a mature and professionalized cybercrime supply chain.
• Layered defense strategies—including driver restriction, behavioral monitoring, and network traffic analysis—are essential to detect and prevent EDR killer deployments.

Frequently Asked Questions