ESET Research Finds BYOVD Dominates EDR Killer Use in Ransomware Intrusions
ESET Research reported that EDR killers have become a standard component of modern ransomware operations, with attackers routinely disabling endpoint detection and response tools before launching encryptors. Across nearly 90 EDR killer tools observed in the wild, 54 were found to use the Bring Your Own Vulnerable Driver (BYOVD) technique, abusing 34 signed but vulnerable drivers to obtain kernel-level privileges and tamper with security products. The research says this approach is especially attractive to ransomware affiliates because it creates a short, reliable window for encryption while avoiding the need to constantly rebuild encryptors to evade detection.
The reporting also highlights how ransomware-as-a-service operations contribute to the diversity of EDR killer tooling: operators typically provide the encryptor and infrastructure, while affiliates choose the EDR-disabling utility used during an intrusion. Although BYOVD remains the dominant method because of its reliability and relatively low development cost, researchers also observed a growing set of tools that disable protections without loading drivers, including methods that disrupt EDR communications, suspend processes, or abuse built-in administrative utilities. The findings reinforce that vulnerable-driver abuse remains a key defensive gap, while non-kernel alternatives are also expanding the range of pre-encryption attack techniques defenders must monitor.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
7 events from the most recent confirmed update back to the earliest known activity.
Microsoft removes trust for older cross-signed kernel drivers in newer Windows
By 2026-04-14, reporting said Microsoft was responding to BYOVD abuse by removing trust for older cross-signed kernel drivers in newer Windows releases. Researchers said this could significantly reduce abuse because many vulnerable drivers tracked by LOLDrivers are cross-signed, although evaluation mode may delay full enforcement.
Researchers detail 0-day BYOVD attack used to disable CrowdStrike Falcon
By 2026-04-06, reporting described a bring-your-own-vulnerable-driver attack that abused a Microsoft-signed vulnerable driver with crafted IOCTL requests containing a target PID to terminate security processes. The technique was highlighted as a way to disable endpoint defenses including CrowdStrike Falcon by weaponizing trusted signed drivers.
Seqrite reports ransomware abuse of legitimate Windows tools to disable AV/EDR
On 2026-03-31, Seqrite researchers reported that ransomware operators increasingly repurpose legitimate, digitally signed Windows administrative tools to disable antivirus and EDR protections before encryption. The report linked this tradecraft to families including LockBit 3.0, BlackCat, Dharma, Phobos, and MedusaLocker, and described a two-stage intrusion chain centered on defense neutralization and privilege escalation.
ESET urges prevention-first defenses beyond vulnerable-driver blocking
Also on 2026-03-19, ESET warned that simply blocking vulnerable drivers is insufficient because ransomware intrusions are interactive and affiliates often have fallback tools ready. It recommended layered, prevention-first defenses focused on detecting privilege escalation, driver installation, and other pre-encryption activity before EDR killers execute.
ESET identifies commercialization and possible AI-assisted EDR-killer development
ESET said on 2026-03-19 that underground products such as DemoKiller, AbyssKiller, and CardSpaceKiller show the growing commercialization of EDR-killer tooling, often protected by packers like HeartCrypt and VX Crypt. The researchers also noted signs that some recently observed tools, including one linked to Warlock activity, may have been developed with AI assistance.
ESET details dominant BYOVD and emerging driverless EDR-killer techniques
In the same 2026-03-19 research, ESET reported that bring-your-own-vulnerable-driver (BYOVD) remains the dominant approach, with 54 tools abusing 34 signed vulnerable drivers. It also documented script-based, anti-rootkit-based, and driverless methods such as EDRSilencer and EDR-Freeze that disable or disrupt security products without relying on kernel drivers.
ESET publishes research on EDR killers in ransomware intrusions
On 2026-03-19, ESET published research concluding that EDR killers have become a standard pre-encryption stage in modern ransomware attacks. The company said it tracked nearly 90 EDR-killer tools used in the wild and found that affiliates usually choose them, creating high tooling diversity across ransomware operations.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
9 references tracked. Mallory keeps watching after this page renders.
EDR-Killer Ecosystem Expansion Requires Stronger BYOVD Defenses
darkreading.com
Open sourceRansomware Gangs Expand Use of EDR Killers Beyond Vulnerable Drivers, ESET Warns
cybersecuritynews.com
Open sourceSigned to Kill: Reverse Engineering a 0-Day Used to Disable CrowdStrike EDR - Infosec.Pub
infosec.pub
Open sourceHackers Weaponize Legitimate Windows Tools to Disable Antivirus Before Ransomware Attacks - Cyber Security News
cybersecuritynews.com
Open sourceESETの公開した90種類以上のEDR Killerを調査した記事を読んで思ったこと - Slapdash Safeguards
sdsg.moe
Open sourceRansomware Actors Expand EDR Killer Tactics Beyond Vulnerable Drivers
cybersecuritynews.com
Open source54 EDR Killers Use BYOVD to Exploit 34 Signed Vulnerable Drivers and Disable Security
thehackernews.com
Open sourceEDR killers explained: Beyond the drivers
welivesecurity.com
Open sourceEDR killers are now standard equipment in ransomware attacks - Help Net Security
helpnetsecurity.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Black Basta Embeds BYOVD Driver Inside Ransomware Payload to Disable EDR
**Black Basta** ransomware operators have been observed embedding a **Bring Your Own Vulnerable Driver (BYOVD)** component directly inside the ransomware payload, a shift from the more common approach of deploying an external “EDR killer” tool prior to encryption. The technique abuses a legitimate, signed but vulnerable Windows driver to gain **kernel-level** privileges and terminate security tooling (AV/EDR) on the victim host, reducing the chance defenders can stop the attack before encryption begins. Reporting attributes the finding to analysis by **Symantec** (and the **Carbon Black Threat Hunter Team**), which described the embedded-driver approach as a notable evolution in Black Basta tradecraft and consistent with broader ransomware trends toward BYOVD-based defense evasion. One account also links the activity to the **Cardinal** cybercrime group and notes the behavior had not been seen in prior Black Basta campaigns, suggesting either a retooling or a renewed operational tempo that could be adopted by other ransomware families seeking to reliably neutralize endpoint protections.
Mar 21, 2026
Malware Families Employing BYOVD and Driver-Based EDR Bypass Techniques
Multiple malware families have adopted advanced techniques to bypass endpoint detection and response (EDR) solutions by leveraging Bring Your Own Vulnerable Driver (BYOVD) attacks and stealthy driver installations. Notably, DeadLock ransomware has been observed exploiting a vulnerable Baidu driver to achieve kernel-level defense bypass, allowing it to disable security products and facilitate ransomware deployment. Similarly, Makop ransomware has evolved to incorporate GuLoader and BYOVD-based EDR killers, specifically targeting networks with exposed Remote Desktop Protocol (RDP) services to gain initial access and evade detection. In parallel, the ValleyRAT malware family has demonstrated the use of stealthy driver installation methods to circumvent Windows 11 security protections. The public leak of the ValleyRAT builder has expanded its accessibility, enabling a broader range of threat actors to deploy this sophisticated backdoor. These developments highlight a growing trend among threat actors to exploit driver vulnerabilities and kernel-level techniques to undermine modern security controls across various malware campaigns.
Mar 21, 2026
Signed vulnerable drivers used to disable EDR and aid ransomware attacks
Researchers and incident responders reported continued abuse of **Bring Your Own Vulnerable Driver (BYOVD)** techniques to disable endpoint protections, including **CrowdStrike Falcon**, by loading legitimately signed but flawed Windows kernel drivers. One newly analyzed zero-day driver family included more than 15 variants with valid Microsoft signatures and an IOCTL path such as `0x22E010` that accepted a process ID and invoked `ZwOpenProcess` and `ZwTerminateProcess` from kernel mode, allowing attackers to kill protected security processes without alerts. A proof-of-concept dubbed **PoisonKiller** demonstrated successful termination of the CrowdStrike EDR process through the driver’s symbolic link, underscoring the risk created by trusted but unrevoked third-party drivers. Separate reporting from Sophos and industry coverage tied the same broader tactic to real intrusions and ransomware activity, including ongoing abuse of **Terminator** and related tools built around vulnerable **Zemana** drivers. Attackers used IOCTL flaws to place their own processes on allow lists and then terminate AV and EDR components, while some incidents showed operators switching to alternatives such as **AuKill** when initial attempts failed. Defenders were urged to combine tamper protection, strict privilege controls, patching, and aggressive blocklisting of unnecessary vulnerable drivers, as signed-driver abuse has spread from advanced actors to commodity ransomware crews and lower-tier criminals.
May 25, 2026