A recent investigation into endpoint detection and response (EDR) killers has unveiled that 54 of these tools exploit a technique known as bring your own vulnerable driver (BYOVD). This method involves manipulating 34 vulnerable drivers to bypass security systems. EDR killers have become a staple in ransomware attacks, providing a means for attackers to disable security measures before deploying file-encrypting malware, thus evading detection.
Understanding How EDR Killers Operate
Ransomware groups, particularly those utilizing ransomware-as-a-service (RaaS) models, frequently update their encryption tools, which can be time-consuming to keep undetectable. According to ESET researcher Jakub Souček, these encryptors are inherently conspicuous due to their need to modify numerous files rapidly. As a result, EDR killers are used to deactivate security features before launching the ransomware, keeping the process simple and efficient.
Most EDR killers exploit legitimate yet vulnerable drivers to obtain elevated privileges. Of the nearly 90 EDR killer tools identified by a Slovakian cybersecurity firm, over half employ the BYOVD tactic due to its reliability. The objective of such attacks is to attain kernel-mode privileges, allowing unrestricted access to system memory and hardware, as explained by Bitdefender.
Types of Threat Actors Utilizing EDR Killers
Threat actors leveraging BYOVD-based EDR killers are classified into three categories: closed ransomware groups like DeadLock, those modifying existing proof-of-concept codes such as SmilingKiller, and cybercriminals selling these tools on underground markets, including DemoKiller and ABYSSWORKER. These actors can disable security processes, tamper with kernel callbacks, and undermine endpoint protections, exploiting the trust in legitimate signed drivers.
Moreover, some script-based tools use built-in administrative commands to interfere with security processes, while others combine scripting with Windows Safe Mode to enhance their chances of disabling protection. However, this approach is risky due to the required system reboot, which is often unreliable in unknown environments.
Emerging Trends and Defensive Strategies
EDR killers are evolving, with new variants like driverless EDR killers blocking outbound traffic from EDR solutions, effectively putting them into a dormant state. Attackers focus more on sophisticated user-mode evasion techniques rather than making encryptors undetectable. This trend is particularly evident in commercial EDR killers, featuring advanced anti-analysis capabilities.
To counter these threats, it is crucial to block commonly exploited drivers from loading, as this can prevent EDR killer execution. However, as these tools are used in the final stages of an attack, attackers can easily switch to alternative tools if necessary. Thus, organizations must implement layered defenses and detection strategies to monitor and address threats throughout the attack lifecycle.
The persistence of EDR killers is attributed to their cost-effectiveness, reliability, and separation from the encryptors, making them ideal for both developers and affiliates seeking to disrupt security defenses before encryption, as noted by ESET.
