Cybersecurity is facing a new wave of challenges as ransomware perpetrators increasingly employ advanced Endpoint Detection and Response (EDR) killers. According to ESET Research, these tools have evolved beyond traditional methods and now include driverless techniques, custom scripts, and repurposed anti-rootkit utilities to evade security measures.
Emergence of Advanced EDR Techniques
While the Bring Your Own Vulnerable Driver (BYOVD) strategy remains prevalent, attackers are diversifying their approach. The use of driverless methods and legitimate software to deactivate security systems is becoming more common. This shift allows cybercriminals to bypass defenses without the need for constant updates to their ransomware encryptors.
EDR killers offer a cost-effective and reliable means for attackers to disable security systems, creating an opportunity to execute their malware undetected. ESET’s findings highlight that ransomware affiliates, rather than the core operators, often select the specific EDR killer tools, leading to a diverse array of tactics in the cybercrime ecosystem.
Diverse Tools and Techniques
The research identifies nearly 90 EDR killers actively used, with a significant number exploiting vulnerable drivers. However, some attackers prefer simpler methods such as command-line scripts or utilizing Windows Safe Mode. Others leverage legitimate anti-rootkit tools like GMER and PC Hunter, originally designed to remove malware but now used to disable security processes due to their elevated privileges.
An emerging trend is the use of driverless EDR killers, such as EDRSilencer and EDR-Freeze, which disrupt network communications or immobilize security software without engaging with the system kernel. This makes them challenging for network defenders to detect and counteract.
Impact on Cybersecurity Defense
ESET categorizes the developers of these tools into three groups: closed groups creating proprietary software, attackers modifying publicly available code, and commercial offerings on the dark web. This commercialization presents a significant challenge for cybersecurity professionals, as the tools are widely distributed and used across different attacks.
As the market for EDR killers matures, organizations are urged to focus on identifying behavioral signs of tampering rather than solely relying on tracking specific vulnerable drivers. This shift in strategy is crucial to counteract the sophisticated and varied techniques employed by ransomware actors.
Stay updated with the latest cybersecurity trends by following us on Google News, LinkedIn, and X. Contact us for more information or to feature your cybersecurity stories.
