EDR Killers Broaden Ransomware Tactics, ESET Warns
Ransomware gangs are rapidly expanding their use of EDR killers, moving beyond vulnerable drivers to a broader mix of scripts, anti‑rootkits, and driverless techniques.
According to ESET’s latest telemetry-backed study, attackers actively use almost 90 distinct EDR killers. These tools have become a predictable, standard stage in modern ransomware operations.
In a typical intrusion, attackers first gain high privileges, launch an EDR killer to blind or cripple endpoint defenses, and then deploy the ransomware encryptor.
The study identifies nearly 90 EDR killers in the wild, including 54 Bring‑Your‑Own‑Vulnerable‑Driver (BYOVD)-based tools abusing 35 vulnerable drivers, alongside script-based and anti-rootkit utilities.
ESET notes that affiliates—not core ransomware operators—typically choose which EDR killer to use. This means larger affiliate pools naturally produce more diverse tooling.
“Affiliates prefer this short, reliable disruption window to constantly re-engineering encryptors to evade detection,” ESET states in their analysis.
This division of labor also means focusing solely on encryptor families hides critical relationships between tooling clusters and actors.
Beyond Vulnerable Drivers
BYOVD remains the dominant technique: attackers install a legitimate but vulnerable kernel driver, then exploit it to terminate protected processes or disable security callbacks.
However, attackers increasingly abuse legitimate anti-rootkit tools like GMER, HRSword, and PC Hunter to kill security processes via their high-privilege drivers and GUIs.

Meanwhile, a small but growing class of driverless EDR killers is emerging, using tools like EDRSilencer and EDR-Freeze to block EDR communications or freeze agents without touching the kernel.
These techniques attract attackers because they’re publicly available, harder to detect with driver-focused security controls, and get adopted by ransomware actors within days of release.
ESET warns that driver-centric analysis often misleads attribution. The same vulnerable driver appears in unrelated tools, while single EDR killers migrate across different drivers over time.
Drivers like BdApiUtil.sys and TfSysMon.sys are reused across distinct codebases (dead-av, TfSysMon-Killer, DLKiller, Susanoo, and EDRKillShifter), despite separate development histories.

Commercialization further obscures attribution. Tools like DemoKiller, AbyssKiller (built on ABYSSWORKER rootkit/HeartCrypt packer), and CardSpaceKiller (often packed with VX Crypt) are sold or rented to gangs including Qilin, Akira, Medusa, and DragonForce.

Packer-as-a-service offerings like VX Crypt and HeartCrypt add obfuscation layers, complicating analysis for defenders.
AI’s Role in EDR Killer Development
ESET flags signs of AI-assisted development in recent EDR killers. While no forensic marker definitively proves AI use, researchers note a Warlock-linked tool that outputs “possible fixes” and cycles through device names—reminiscent of generic AI-generated boilerplate for offensive use.
Though many public proof-of-concepts exist, Blacksnufkin’s BYOVD repository stands out for enabling rapid user-mode iteration.

AI is lowering the barrier for producing user-mode components, even as the set of abused drivers remains limited.
Defending only at the driver layer is insufficient, ESET warns. Blocking known vulnerable drivers is critical but happens late in the kill chain—by then, attackers already have high privileges and can switch tools.
A prevention-first, multi-layered approach is essential. This includes hardening against BYOVD, monitoring anti-rootkit misuse, and telemetry-driven hunting for driverless disruption attempts.
Weaknesses in driver signing enforcement—abuse of Truesight.sys, revoked drivers like EnPortv.sys—further complicate blocking strategies.
In human-operated ransomware intrusions, detections only matter if defenders respond swiftly and decisively at every attack-chain step.