Cybercriminals deploying ransomware have significantly advanced their methods to bypass endpoint security systems. Moving beyond the traditional technique of exploiting vulnerable drivers, these attackers are now utilizing a range of sophisticated tactics to disable security measures before deploying their encryption software.
Emergence of New Attack Techniques
Historically, the Bring Your Own Vulnerable Driver (BYOVD) approach was the primary method used by attackers to disable security tools. However, this landscape is becoming more complicated as hackers employ script-based tools, exploit legitimate anti-rootkit software, and even adopt methods that require no drivers at all to neutralize security protections.
This shift in strategy underscores the critical need for ransomware affiliates to have a brief but effective opportunity to execute their encryptors without interference. Rather than attempting the difficult task of concealing encryptors from security software, attackers are now focusing on disabling these protections entirely.
Widespread Usage of EDR Killers
EDR killers, tools specifically designed to disable endpoint detection and response software, have become a cornerstone of modern ransomware attacks. Research based on ESET telemetry and real-world incidents shows this trend is rapidly expanding among both major and minor ransomware groups.
Analysts from WeLiveSecurity have identified nearly 90 EDR killers actively used by various ransomware gangs. These include 54 BYOVD-based tools exploiting 35 distinct vulnerable drivers, 7 script-based tools, and 15 tools misusing legitimate anti-rootkit software. This reflects a growing, commercialized market where such tools are bought, sold, and customized to target a wide array of security vendors.
Impact and Defense Strategies
The implications of this development are severe for victims, as attackers can render security measures ineffective before initiating file encryption. Groups like Akira, Medusa, Qilin, RansomHouse, and DragonForce have been observed utilizing commercially available EDR killers from underground markets. Notable tools like AbyssKiller and CardSpaceKiller frequently appear in attacks, showcasing the extensive use of commercial packing services like VX Crypt.
To counter these threats, organizations should implement a multi-layered defense strategy. While blocking vulnerable drivers is a necessary first step, it’s insufficient on its own. Security teams must monitor for unusual driver installation activities and maintain blocklists of known vulnerabilities. Moreover, limiting high-privilege access and ensuring robust network segmentation can reduce the opportunities for attackers to deploy these tools.
Employing comprehensive endpoint telemetry ensures that defenders maintain visibility, even when one layer of security is compromised. A managed detection and response provider or an internal security operations center (SOC) team can provide the necessary agility to adapt to attackers’ real-time strategies.
Stay informed on the latest cybersecurity trends by following us on Google News, LinkedIn, and X, and set CSN as a preferred source for timely updates.
