EDR Killers Explained: Beyond the Drivers
Summary:
EDR killers have become one of the most commonly seen tools in modern ransomware intrusions, with attackers acquiring high privileges, deploying such tools to disrupt endpoint protection, and only then launching an encryptor.
ESET Research published a comprehensive analysis today grounded in telemetry and incident investigations covering nearly 90 EDR killers actively observed in the wild, with 54 classified as Bring Your Own Vulnerable Driver (BYOVD)-based tools abusing 35 distinct drivers, 7 as script-based, and 15 as abused anti-rootkit utilities.
The research identifies three primary classes of threat actors:
A key finding challenges conventional attribution methodology: the same vulnerable driver routinely appears across unrelated codebases, and the same EDR killer frequently migrates between drivers over time, meaning driver-based attribution to specific threat groups is often misleading.
ESET researchers also assess that at least some recently observed EDR killers exhibit strong indicators of AI-assisted development, citing a Warlock-deployed tool containing AI-characteristic boilerplate and a trial-and-error driver selection mechanism as a concrete example.
The research additionally documents a growing class of driverless EDR killers, tools like EDRSilencer and EDR-Freeze, that block EDR communications or suspend processes entirely without interacting with the kernel.
Security Officer Comments:
The proliferation and commercialization of EDR killers represent a structural shift in ransomware operational tradecraft that directly threatens the efficacy of endpoint security investments across all sectors. Because EDR killers rely on legitimate but vulnerable drivers, defense is significantly more complicated without risking disruption of legacy or enterprise software, offering kernel-level impact with minimal development effort.
The EDR killer as a product model dramatically lowers the barrier to entry. Affiliates with limited technical capability can now acquire hardened, obfuscation-packed tools with mature anti-analysis features through underground marketplaces for hundreds to thousands of dollars, while larger RaaS affiliate pools produce increasing tooling diversity that complicates pattern-based detection and attribution.
The emergence of AI-assisted EDR killer development signals a potential acceleration in the volume and variety of novel tools, compressing the window between PoC publication and weaponized deployment. Organizations relying solely on vulnerable driver blocklists face an increasingly unreliable defensive posture, as demonstrated by threat actors generating over 2,500 validly signed Truesight[.]sys variants.
Suggested Corrections:
Organizations should implement a prevention-first, multilayered strategy aimed at disrupting EDR killers before execution rather than solely relying on driver blocking at the final moment before encryptor launch.
https://www.welivesecurity.com/en/eset-research/edr-killers-explained-beyond-the-drivers/
EDR killers have become one of the most commonly seen tools in modern ransomware intrusions, with attackers acquiring high privileges, deploying such tools to disrupt endpoint protection, and only then launching an encryptor.
ESET Research published a comprehensive analysis today grounded in telemetry and incident investigations covering nearly 90 EDR killers actively observed in the wild, with 54 classified as Bring Your Own Vulnerable Driver (BYOVD)-based tools abusing 35 distinct drivers, 7 as script-based, and 15 as abused anti-rootkit utilities.
The research identifies three primary classes of threat actors:
- Closed non-RaaS groups that develop proprietary tools (e.g., Warlock, DeadLock, Embargo).
- Affiliates who fork and lightly modify publicly available proof-of-concept code.
- Actors purchasing commercial offerings via underground marketplaces.
A key finding challenges conventional attribution methodology: the same vulnerable driver routinely appears across unrelated codebases, and the same EDR killer frequently migrates between drivers over time, meaning driver-based attribution to specific threat groups is often misleading.
ESET researchers also assess that at least some recently observed EDR killers exhibit strong indicators of AI-assisted development, citing a Warlock-deployed tool containing AI-characteristic boilerplate and a trial-and-error driver selection mechanism as a concrete example.
The research additionally documents a growing class of driverless EDR killers, tools like EDRSilencer and EDR-Freeze, that block EDR communications or suspend processes entirely without interacting with the kernel.
Security Officer Comments:
The proliferation and commercialization of EDR killers represent a structural shift in ransomware operational tradecraft that directly threatens the efficacy of endpoint security investments across all sectors. Because EDR killers rely on legitimate but vulnerable drivers, defense is significantly more complicated without risking disruption of legacy or enterprise software, offering kernel-level impact with minimal development effort.
The EDR killer as a product model dramatically lowers the barrier to entry. Affiliates with limited technical capability can now acquire hardened, obfuscation-packed tools with mature anti-analysis features through underground marketplaces for hundreds to thousands of dollars, while larger RaaS affiliate pools produce increasing tooling diversity that complicates pattern-based detection and attribution.
The emergence of AI-assisted EDR killer development signals a potential acceleration in the volume and variety of novel tools, compressing the window between PoC publication and weaponized deployment. Organizations relying solely on vulnerable driver blocklists face an increasingly unreliable defensive posture, as demonstrated by threat actors generating over 2,500 validly signed Truesight[.]sys variants.
Suggested Corrections:
Organizations should implement a prevention-first, multilayered strategy aimed at disrupting EDR killers before execution rather than solely relying on driver blocking at the final moment before encryptor launch.
- Practically, this means maintaining a current vulnerable driver blocklist (referencing resources such as the LOLDrivers project and Microsoft's recommended block rules) as a necessary but insufficient control, pairing it with behavioral detection rules targeting the privilege escalation, service creation, and process termination patterns common across EDR killer classes.
- EDR and XDR telemetry should be tuned to alert on the loading of known vulnerable drivers, use of administrative utilities like taskkill and sc delete against security product processes, and anomalous Safe Mode reboot registrations.
- For the growing driverless threat category, network-level telemetry should monitor for interruptions in EDR-to-backend communications consistent with tools like EDRSilencer.
- Organizations should also ensure SOC or MDR capabilities are positioned to act on EDR killer deployment detections in real time, as the window between tool execution and encryptor launch is measured in seconds.
- IoCs and samples for all named tools are available in ESET's public GitHub repository at github.com/eset/malware-ioc/tree/master/edr_killers.
https://www.welivesecurity.com/en/eset-research/edr-killers-explained-beyond-the-drivers/