A new cybersecurity analysis has uncovered that 54 distinct Endpoint Detection and Response (EDR) killer programs are actively exploiting a technique known as Bring Your Own Vulnerable Driver (BYOVD). These malicious tools collectively abuse a pool of 34 different digitally signed but vulnerable drivers to disable security software. EDR killers have become a staple in ransomware attack chains, providing threat actors, particularly affiliates of Ransomware-as-a-Service (RaaS) operations, with a method to neutralize defensive measures before deploying file-encrypting payloads. This pre-emptive disabling is a critical evasion tactic, allowing the subsequent noisy and disruptive ransomware encryption process to proceed undetected.
The operational logic behind using separate EDR killers is one of efficiency and specialization. As noted by ESET researcher Jakub Souček, ransomware encryptors are inherently "noisy" due to the need to rapidly modify numerous files, making them challenging to conceal. By offloading the security-disabling function to a dedicated, external component, ransomware operators can keep their core encryptor simpler, more stable, and easier to rebuild for new campaigns. While some ransomware families, like Reynolds, have integrated EDR-killing capabilities directly into their binary, the modular approach remains prevalent. Analysis from ESET indicates that of nearly 90 EDR killer tools identified, more than half—54—rely on the BYOVD method due to its proven reliability and effectiveness.
The BYOVD technique is powerful because it exploits the high-level system privileges granted to signed kernel-mode drivers. As explained by Bitdefender, the attack's goal is to achieve unrestricted "Ring 0" kernel-mode privileges. Since modern Windows systems block the loading of unsigned drivers, attackers instead bring a legitimate driver from a reputable vendor (like a hardware manufacturer or an old antivirus) that contains a known security flaw. By exploiting this vulnerability, the attacker can execute arbitrary code with the highest system privileges, allowing them to tamper with or terminate EDR processes, disable security mechanisms, and ultimately pave the way for ransomware deployment.
This trend underscores a significant threat landscape shift, where the security of the software supply chain—including third-party drivers—is paramount. The fact that 34 signed drivers have been weaponized highlights a persistent challenge: legitimate software components with vulnerabilities can become powerful attack vectors long after their flaws are known. Defending against BYOVD attacks requires a multi-layered strategy, including robust application allow-listing to block known vulnerable drivers, vigilant patch management for all system software, and the deployment of security solutions capable of detecting and preventing driver-based privilege escalation attempts at the kernel level.
