Diving into the evolving ecosystem of EDR killers by ESET

Researchers from ESET analyzed 90 actively used EDR killers — tools that can disable antivirus and EDR solutions. These utilities have become especially popular among ransomware operators for one simple reason: they allow them to avoid spending resources on developing evasion mechanisms for encryptors.

Ransomware developers no longer need to invest their effort in stealth, while affiliates gain a simple and reliable tool that makes attacks more deterministic: first disable defenses, then encrypt data. As a result, encryptors increasingly lack features aimed at detection prevention, and advanced evasion techniques are concentrated in EDR killers.

The spread of commercial EDR killers has lowered the barrier to entry for threat actors and raised the question of how to track such attacks. Experts warn that although most tools rely on vulnerable drivers, focusing solely on them is risky and may lead to misattribution for the following reasons:

🔻 Specifics of the RaaS model. Operators provide the ransomware and infrastructure, while affiliates choose their own EDR killer, which isn't directly tied to the RaaS group. 🔻 Driver reuse. The same vulnerable driver can be used by multiple tools derived from publicly accessible PoCs. Moreover, the tools themselves often switch exploited drivers over time. 🔻 Different techniques used by EDR killers. Their arsenal extends beyond BYOVD methods: legitimate anti-rootkit utilities can act as EDR killers, and some newer tools no longer rely on kernel-level code execution, instead targeting specific critical functions.

The use of EDR killers is no longer a niche tactic but a standard step before deploying malicious payloads. However, given the factors described above, defense measures focused solely on blocking drivers are considered insufficient. They may stop a specific tool, but only at the final stage — when the attacker already has elevated privileges and is one step away from launching the encryptor. If that fails, another EDR killer or a tool not dependent on vulnerable drivers can be used instead. As a result, defensive focus should shift to earlier stages of the compromise.

💬 Discuss