Recent ransomware campaigns rely on an auxiliary tool that is becoming standard. To achieve their goals, groups no longer merely encrypt or exfiltrate data; to ensure stealth, they systematically dismantle defensive measures.
Thus, neutralizing EDR solutions, whose rise clearly hampers their operations, has become a routine, standardized step, integrated into the attack scenario. The “EDR Killers” embody this evolution, an industrialized ecosystem, diverse and partly assisted by artificial intelligence.
Killing detection before encryption or exfiltration
Why persist in disabling EDR rather than simply making ransomware stealthier? For one simple reason: reliability. Massive file encryption is inherently noisy. Masking it durably is complex and not enduring.
EDR Killers offer a more effective approach. By creating a controlled execution window, they guarantee that the final phase of the attack unfolds without triggering security teams. Operators can thus keep encryptors simple, robust, and easily replaceable. Evasion precedes the ransomware and conditions its success.
A growing technical arsenal
Our work, based on the analysis of around 90 active tools, shows a rapid diversification of techniques. BYOVD (Bring Your Own Vulnerable Driver) remains dominant, with more than fifty tools exploiting this principle. It relies on installing legitimate but vulnerable drivers to obtain kernel privileges and disable protections. Thirty-five different drivers are currently abused, often shared by several groups.
Alongside this, a gray area has developed around legitimate tools. Anti-rootkits, designed to operate at the kernel level, are hijacked to stop protected processes. They turn less technically skilled affiliates into operators capable of neutralizing processes, including EDR.
A third path is emerging: headless, driverless approaches. Tools like EDRSilencer or EDR-Freeze paralyze detection without touching the kernel, by blocking network communications or freezing security components. Their discretion seriously complicates detection.
Finally, some groups push past a threshold of operation. The Play group illustrates this evolution by performing a complete deletion of security agents from the drive, altering firewalls, and even cutting off Internet access. The EDR is no longer stopped. It is eradicated.
Evasion becomes a product
In the ransomware-as-a-service economy, roles become specialized. Developers produce the ransomware. Affiliates operate the EDR Killers. This separation has given rise to a dedicated market: evasion as a service.
Tools such as DemoKiller, AbyssKiller, or CardSpaceKiller are sold turnkey on clandestine forums. Advanced obfuscation, commercial packers, encrypted drivers, protections against analysis—everything is designed to lower the technical threshold and maximize the success rate.
AI as an accelerator
Artificial intelligence is beginning to influence these developments. While not always attributable with certainty, its footprint appears in certain tools, notably within the Warlock gang. The presence of generic code typical of LLMs, redundant structures, and scenario lists embedded in the binary.
More troubling, AI seems to facilitate automated testing mechanisms. The tool successively tests different peripherals or known vectors until it finds an exploitable configuration. Human expertise is partly replaced by experiment-assisted approaches.
Complex attribution and defense under pressure
Attributing an attack based on a single driver is limiting. The same components circulate among groups, change versions, evolve only slightly. Focusing on an isolated artifact risks missing the reality of attack chains and the relationships between tools, affiliates, and infrastructures. Attack attribution remains a crucial link in incident response; to view it in its entirety, Cyber Threat Intelligence is a valuable ally.
On the defense side, blocking vulnerable drivers is necessary but insufficient. This measure often comes too late and may disrupt legitimate software. The response must be broader:
- Reduce initial entry surfaces.
- Observe behaviors, including those of tools traditionally considered legitimate.
- Intercept the EDR Killer upstream, before any escalation attempt.
- Ensure backups that are truly resilient, isolated and tested.
- Monitor the activities of security solutions (SOC / MDR…)
The EDR Killers are no longer exceptional. They have become central tools in mature, structured, pragmatic cybercrime. By exploiting the legitimacy of tools and signatures, they shift the battleground. Detection must now aim at intent, before defenses fall silent.
* Benoit Grunemwald, is a cybersecurity expert at ESET
