Source: The Hacker News
Author: info@thehackernews.com (The Hacker News)
URL: https://thehackernews.com/2026/03/54-edr-killers-use-byovd-to-exploit-34.html
ONE SENTENCE SUMMARY:
EDR killers, widely used in ransomware, increasingly abuse BYOVD to gain kernel access, disable defenses, and necessitate layered detection strategies.
MAIN POINTS:
- Analysis found 54 EDR killers using BYOVD across 34 vulnerable drivers.
- Ransomware affiliates use EDR killers to neutralize security before encryption.
- Encryptors are noisy, making reliable stealth difficult and costly to maintain.
- Decoupled EDR killers keep lockers simple, stable, and frequently rebuilt.
- BYOVD abuses signed, vulnerable drivers to obtain Ring 0 kernel privileges.
- Kernel access enables killing EDR processes, disabling tools, and tampering kernel callbacks.
- Attackers include closed ransomware groups, PoC forkers, and marketplace “EDR-killer-as-a-service” vendors.
- Script-based tools use taskkill/net stop/sc delete; some leverage Windows Safe Mode.
- Legitimate anti-rootkits can terminate protected processes via user-friendly interfaces.
- Driverless killers increasingly block EDR outbound traffic, forcing “coma” states.
TAKEAWAYS:
- Prioritize blocking known-abused vulnerable drivers via allowlists/blocklists and policy controls.
- Monitor for driver loading anomalies, kernel-callback tampering, and sudden EDR process terminations.
- Expect tool switching near encryption time; detect earlier lifecycle stages to prevent last-minute evasion.
- Treat commercialized EDR killers as mature malware with strong anti-analysis and anti-detection features.
- Implement layered defenses combining prevention, telemetry, containment, and rapid remediation.