EDR killers explained: Beyond the drivers
Essential information
- Published
- 19/03/2026 15:28
- Modified
- 20/03/2026 08:16
- Tags
- 2026-03-19 abysskiller abyssworker byovd cardspacekiller cybersecurity dead-av defense evasion demokiller dlkiller edr killers edr-freeze edrkillshifter edrsilencer ghostdriver hexkiller malware ms4killer ransomware sevexkiller smilingkiller susanoo tfsysmon-killer threat intelligence vulnerable drivers
- Related entities
- 15 observables, 14 techniques (mitre), 16 malware
Description
This analysis explores the ecosystem of EDR (Endpoint Detection and Response) killers, tools used by ransomware attackers to disrupt security solutions before deploying encryptors. The research, based on almost 90 EDR killers tracked in the wild, reveals that these tools are fundamental in modern ransomware operations. Affiliates, not operators, typically choose EDR killers, leading to greater tooling diversity in larger affiliate pools. The same vulnerable driver can appear in unrelated tools, and tools can switch between drivers, making driver-based attribution unreliable. The landscape includes forked proofs of concept, professional implementations, and commercial offerings. While Bring Your Own Vulnerable Driver (BYOVD) technique dominates, custom scripts, anti-rootkits, and driverless approaches are also utilized. The analysis emphasizes the importance of looking beyond drivers to understand the full scope of EDR killer ecosystem and its implications for cybersecurity.