New Report Reveals 50+ Tools Used to Shut Down Security Software

EDR Killers Are Helping Ransomware Bypass Security Defenses

A new cybersecurity report has revealed how attackers are increasingly using specialized tools known as EDR killers to shut down security systems before launching ransomware attacks.

These tools are designed to disable endpoint detection and response (EDR) solutions, making it easier for attackers to operate without being detected.

The Rise of the BYOVD Technique

One of the most common methods used by these tools is called Bring Your Own Vulnerable Driver (BYOVD).

Instead of creating malicious drivers from scratch, attackers use legitimate drivers that are digitally signed but contain known vulnerabilities. This allows them to gain deep system access without triggering standard security alerts.

With this level of access, attackers can:

  • Turn off security software
  • Stop monitoring processes
  • Interfere with system protections
  • Prepare the system for ransomware deployment

Why Attackers Use EDR Killers

Ransomware itself is noisy. It rapidly modifies large numbers of files, which can easily trigger detection systems.

To avoid this, attackers separate the attack into stages:

  1. First, disable security tools using EDR killers
  2. Then, deploy ransomware in a cleaner, less detectable environment

This approach makes attacks more reliable and easier to repeat across multiple targets.

Different Types of EDR Killer Tools

Researchers have identified several categories of these tools:

1. BYOVD-Based Tools

These are the most common. They exploit vulnerable drivers to gain full system control and bypass protections.

2. Script-Based Attacks

Some attackers use simple system commands like:

  • taskkill
  • net stop
  • sc delete

These commands can stop security services directly. In some cases, attackers reboot systems into Safe Mode, where fewer protections are active.

3. Legitimate Anti-Rootkit Tools

Certain attackers use real security utilities to terminate protected processes. These tools were originally designed for system analysis but are now being misused.

4. Driverless Techniques

Newer methods avoid drivers altogether. Instead, they block communication between security tools and their servers, effectively putting protection systems into a non-functional state.

Who Is Behind These Attacks

These tools are being used by different types of threat actors, including:

  • Organized ransomware groups operating closed networks
  • Attackers modifying publicly available code
  • Cybercriminals selling EDR killer tools on underground markets

This has made these tools widely accessible, even to less experienced attackers.

Why This Is a Growing Threat

EDR killers are becoming more advanced and easier to use. Instead of focusing on making ransomware harder to detect, attackers are focusing on disabling defenses first.

This shift makes traditional security strategies less effective.

Even if one method fails, attackers can quickly switch to another tool, making defense more challenging.

How Organizations Can Protect Themselves

To reduce the risk of these attacks, organizations should:

  • Block known vulnerable drivers from running
  • Monitor for unusual system-level activity
  • Use layered security instead of relying on a single defense
  • Detect threats early before attackers reach the final stage

Since EDR killers are often used just before ransomware is deployed, catching attackers earlier in the attack chain is critical.

Final Take

EDR killers are now a key part of modern ransomware attacks. By disabling security tools first, attackers can operate more freely and increase their chances of success.

The takeaway is clear: security can no longer rely on a single layer of defense. Organizations must adopt a proactive approach that detects threats at every stage before damage is done.

Leave a Reply

Your email address will not be published. Required fields are marked *