ESET Analyzes Nearly 90 EDR Killers Used in Ransomware Intrusions, Reveals Attribution Pitfalls
ESET researchers analyzed almost 90 EDR killers actively used in ransomware attacks, finding that affiliates choose the tools and driver-based attribution is often misleading.
ESET researchers have published a comprehensive analysis of nearly 90 endpoint detection and response (EDR) killers actively used in ransomware intrusions, shedding light on the techniques and operational patterns that make these tools a critical component of modern attacks. The study, based on ESET telemetry and incident investigations, goes beyond the dominant Bring Your Own Vulnerable Driver (BYOVD) approach to document script-based and anti-rootkit utilities, as well as the growing role of AI-assisted development.
The research reveals that EDR killers are not just plentiful but behave predictably and consistently, which is precisely why ransomware affiliates rely on them. Rather than investing in making encryptors undetected—a time-consuming and challenging task given the noisy nature of encryption—attackers use EDR killers to disrupt security controls immediately before deployment. This approach keeps encryptors simple, stable, and easy to rebuild, while the EDR killers themselves are often "plug-and-play" thanks to public proof-of-concept code.
A key finding is that affiliates, not ransomware operators, select the EDR killers used in intrusions. Larger affiliate pools lead to greater tooling diversity, with the same vulnerable driver appearing in unrelated tools and the same tool migrating between drivers. This makes driver-based attribution to specific threat groups misleading. The study documents 54 BYOVD-based tools abusing 35 drivers, 7 script-based tools, and 15 anti-rootkit utilities. For 24 of the BYOVD-based tools, ESET found no publicly available PoC, suggesting developers implemented them from scratch.
The researchers also highlight the emergence of "EDR killer as a product" and packer-as-a-service offerings on the dark web, which increase availability and muddy attribution. Additionally, they present evidence that AI assisted in the development of some EDR killers, citing a concrete example from the Warlock gang. This trend complicates defense as AI-generated code can introduce novel evasion techniques.
While BYOVD remains the dominant technique, the study notes that custom scripts, anti-rootkits, and driverless EDR killers are also utilized. Driverless approaches block communication of EDR software or suspend it in place without relying on vulnerable drivers. The research provides a technical overview of these methods, including the vulnerable drivers commonly abused.
The findings underscore the importance of focusing on the broader ecosystem of EDR killers rather than individual drivers for attribution and defense. As ransomware operations continue to evolve, understanding how affiliates select and operate these tools is crucial for developing effective countermeasures. ESET's analysis offers a clear, evidence-based picture of EDR killers as a predictable stage in modern ransomware intrusions.