Ransomware gangs have changed their approach to bypassing security. Previously, only vulnerable drivers were abused, now driverless techniques, legitimate anti-rootkit tools and EDR killer services sold on the dark web allow security software to bypass encryption directly. New research from ESET has tracked more than 90 active EDR killers.
The Rise of EDR Killers in Modern Ransomware Attacks
When you want to enter someones house the first thing you do is turn off the alarm on the door. This same logic has now been applied by ransomware gangs in their attacks but on a professional scale and with so much sophistication that the world’s biggest cybersecurity firms are shaken.
ESET Research published a comprehensive report in March 2026 in which they tracked almost 90 active EDR killers and proved that this threat is no longer limited to just a technique, it has become a whole industry.
Why Attackers Target and Disable EDR Systems
Endpoint Detection and Response (EDR) tools are some of the most powerful security technologies available today. These tools monitor device activity in real-time, detect suspicious behavior and can stop file-encrypting malware before it can be deployed. This was a major deterrent for ransomware gangs. But the problem was that encryptors and the malware that encrypts files are inherently difficult to keep undetected.
ESET researcher Jakub Souček explained this very clearly ransomware encryptors have a fundamental problem. They are inherently very noisy because they have to modify thousands of files in a short period of time. Ensuring that every new build is undetected is a time-consuming and technically demanding task. So attackers have thought of a smarter approach: keep the encryptor simple and disable the security software before the encryption begins. The tool that disables security is an EDR killer.
BYOVD Attacks : The Most Widely Used EDR Evasion Method
The most common and powerful method so far is Bring Your Own Vulnerable Driver, also known as BYOVD. Windows requires drivers for kernel-level access and the deepest part of the operating system. If an attacker can load a legitimate but vulnerable driver onto the system that is digitally signed, they can operate at the kernel level and directly terminate security processes.
According to ESET’s tracking 54 EDR killers still use BYOVD and these exploit 35 different vulnerable drivers. Interestingly over 1,700 vulnerable drivers are publicly documented in a database maintained by the Living Off The Land Drivers project but attackers frequently use the same few tried-and-tested drivers they trust.
ESET also noted that the same driver can appear in different unrelated tools and the same tool can switch between different drivers. This makes attribution very difficult because you can not tell which group carried out the attack just by looking at the driver.
The New Era EDR Bypass Without Drivers
The most alarming part of ESET report is that attackers are moving away from relying solely on BYOVD. Driverless techniques are now rapidly growing in which attackers don’t directly kill EDR software but instead block network communication with its security backend or freeze it so that it technically remains running but cannot detect anything. This approach is more difficult for network defenders because there is no vulnerable driver loaded to block it.
Another strange but effective approach is the abuse of legitimate anti-rootkit tools. Years ago, when kernel-mode driver signing was not enforced in Windows, rootkits were very common. To fight them, security companies created anti-rootkit tools that worked at the kernel level and could terminate protected processes. Today ransomware affiliates are using these same tools to bypass GMER HRSword and PC Hunter security. These tools are legitimate are whitelisted by vendors, and blocking them can also disrupt business software. This is a grey zone that attackers are exploiting a lot.
At the most basic level and some low-skill attackers use Windows built-in commands like taskkill, net stop, sc delete or Windows Safe Mode which only loads a minimal OS and typically lacks security solutions. This approach is noisy and requires a reboot, which is risky, so it’s primarily seen among low-skilled attackers.
Three Types of Actors Behind EDR Killer Tools
ESET divided EDR killer developers into three categories. The first category is closed professional ransomware groups like Embargo, DeadLock and Warlock that do not rely on an affiliate model and develop their attackers internally. Regarding Warlock ESET shared a specific observation that they have seen strong circumstantial evidence that Warlock is writing and updating its EDR killer code with the help of AI. This is an alarming real-world example of AI abuse in software development.
The second category includes attackers who fork publicly available proof-of-concept code and create a new tool with minor modifications. Change the programming language add basic obfuscation and you’re done. PoC templates available on GitHub have made EDR killer development so accessible that the need for technical skill is greatly reduced.
The third and the most concerning category is commercial operators selling EDR killer as a service on the dark web. AbyssKiller, CardSpaceKiller and DemoKiller are all commercial tools sold on dark web forums, purchased and used by affiliates of multiple ransomware gangs. ESET has detected AbyssKiller among affiliates of the Medusa, DragonForce and BlackSuit gangs. CardSpaceKiller has been spotted among groups like Akira, Medusa Qilin, and Crytox.
The Hidden Role of Affiliates in Modern Ransomware Operations
A very important insight from the ESET report is that in the RaaS model, affiliates, not operators and decide which EDR killer to use. This means that different affiliates within a large gang may be using completely different tools, leading to tooling diversity within the same attack style. This makes attribution and pattern recognition difficult for defenders.
RansomHub which emerged in 2024 and quickly became the dominant RaaS gang, was a notable exception. They developed their own proprietary EDR killer, EDRKillShifter and offered it to affiliates. ESET researchers later discovered that RansomHubs affiliates were also working for rival gangs like Play, Medusa, and BianLian and EDRKillShifter found its way there as well. Its a fascinating and intriguing connection that only came to light by following the tooling trail.
The Real Challenge in Cyber Defense
This is where the biggest problem for defenders arises. By the time a vulnerable driver is blocked, and even possible and the attacker already has high privileges and is very close to deploying an encryptor. If one tool fails, another is ready. Block the driver, the attacker switches. This is why ESET strongly emphasizes that driver blocking alone cannot be a defensive strategy it is necessary but not sufficient.
Real defense should be multi-layered. It is important to detect the behavior of EDR killers what they do before execution which processes they try to terminate, which system calls they make. Monitoring these behavioral signatures is more effective than driver-based blocking.
It is also important to understand that an EDR killer comes at the last stage in the attack chain, meaning if someone had been caught at earlier stages, the EDR killer would not have been detected. Network segmentation, privilege management and early stage detection all work together.
ESET also noted that encryptors are no longer being sophisticated enough. Many advanced evasion techniques have migrated to EDR killers and especially commercial tools that have mature anti-analysis and anti-detection capabilities. Attackers have effectively divided the responsibility. Keep the encryptor simple so that it is easy to rebuild and keep the EDR killer sophisticated so that it can bypass security.
This shift suggests that the cybercrime ecosystem is maturing, with division of labor, commercialization, and outsourcing becoming commonplace in the normally legitimate software industry. The same is now happening with ransomware and it’s a reality that will require defenders to fundamentally update their thinking.
