A new analysis by The Hacker News and ESET reveals that 54 EDR killers use a BYOVD technique to exploit 34 vulnerable drivers, enabling threat actors to disable security before encrypting data. EDR killers act as external components that terminate security processes and tamper with kernel callbacks, helping ransomware operators evade detection and maintain a lightweight encryptor.
According to ESET researcher Jakub Souček, BYOVD remains a reliable path because it leverages a legitimate, signed driver with a known vulnerability to gain kernel-mode privileges. The study notes that nearly 90 EDR killer tools were detected by Slovakian researchers, with threat actors including DeadLock and Warlock as well as forks like SmilingKiller and TfSysMon-Killer, and markets selling tools such as DemoKiller aka Бафомет, ABYSSWORKER, and CardSpaceKiller.
Some variants also employ script-based interference using commands like taskkill, net stop, or sc delete, and a few combine scripting with Windows Safe Mode. The report highlights that EDR killers are often cheaper and decoupled from the encryptor, making them a persistent threat across ransomware campaigns. To defend, researchers urge layered protections and proactive monitoring at every stage of the attack lifecycle. 19 March 2026