A recent cybersecurity analysis has identified 54 distinct malicious tools, known as endpoint detection and response (EDR) killers, that are actively disabling security software on targeted computers. These programs achieve this by exploiting a technique called “bring your own vulnerable driver” (BYOVD), which abuses a total of 34 different digitally signed but flawed drivers from legitimate hardware manufacturers.

EDR killers have become a standard component in ransomware attacks, allowing cybercriminal affiliates to deactivate defensive software before deploying file-encrypting payloads. The new research quantifies the scale of this threat, highlighting the widespread availability and use of these bypass tools in current intrusion campaigns.

How the BYOVD Technique Works

The BYOVD method involves attackers loading a legitimate, signed driver with known security vulnerabilities onto a compromised system. Because these drivers are signed by trusted companies, they are often allowed to execute with high-level privileges by the operating system. Once installed, the vulnerable driver is then exploited to gain kernel-level access, the highest level of privilege in an operating system.

This kernel access enables the EDR killer to directly manipulate memory and processes, effectively disabling or circumventing endpoint security and antivirus software. The technique is particularly effective because it leverages trusted components already whitelisted by the system, making detection by traditional means more difficult.

The Scope of the Driver Problem

The analysis found that the 54 EDR killer programs collectively abuse 34 unique vulnerable drivers. These drivers originate from various well-known hardware and software vendors. The continued use of these drivers, despite many having known vulnerabilities and available patches, underscores a persistent challenge in the software supply chain.

Security researchers note that the signing certificates for these vulnerable drivers often remain valid, or the drivers themselves are not added to revocation lists promptly. This allows malware authors to continue using them as a reliable method for disabling security controls. The situation creates a significant advantage for attackers, who can weaponize legitimate software against the very systems it was designed to support.

Impact on Ransomware Operations

The proliferation of EDR killers directly facilitates the success of ransomware gangs. By neutralizing the victim’s primary defense mechanisms, attackers can execute their encryption routines unimpeded, increasing the likelihood of a successful extortion attempt. These tools are frequently used in the initial stages of an attack, following initial network access and credential theft.

Their use is not limited to any single ransomware group; instead, they represent a commoditized service within the cybercrime ecosystem. Affiliates and initial access brokers can purchase or rent these EDR killers to improve the efficacy of their attacks, contributing to the overall ransomware threat landscape.

Mitigation and Defense Strategies

Security experts recommend several measures to defend against BYOVD attacks. A primary defense is implementing driver allowlisting, where only drivers from a pre-approved and validated list are permitted to load. Operating system features like Microsoft’s Vulnerable Driver Blocklist, which prevents known malicious drivers from loading, are also critical.

Organizations are advised to maintain rigorous patch management policies to ensure that all drivers, especially those from peripheral devices, are kept up to date. Furthermore, deploying security solutions that can detect and block attempts to load drivers into kernel memory, or that monitor for unusual kernel-level activity, can provide an additional layer of defense.

The ongoing analysis of EDR killers and their methods is conducted by multiple cybersecurity firms. These organizations track the evolution of these tools and work with vendors to get vulnerable drivers patched and their certificates revoked. This collaborative effort is essential for shrinking the pool of exploitable drivers available to adversaries.

Looking ahead, the cybersecurity community anticipates continued refinement of BYOVD techniques by threat actors. In response, security vendors and platform developers are expected to enhance kernel protection mechanisms and driver validation processes. The industry-wide shift towards more comprehensive threat hunting and behavioral detection, rather than reliance solely on signatures, is likely to accelerate as a countermeasure to these advanced bypass tools.

Source: Various cybersecurity research publications