ESET has issued a that ransomware operators are rapidly expanding their use of “EDR killers” specialized tools designed to disable endpoint detection and response (EDR) systems turning them into a standard phase of modern cyberattacks. According to the company’s latest , nearly 90 distinct EDR killer tools are now actively used in real-world attacks, reflecting a significant evolution in how ransomware campaigns are executed.

ESET’s findings show that attackers increasingly follow a consistent pattern: after gaining elevated privileges within a system, they deploy an EDR killer to neutralize security defenses before launching ransomware payloads. This shift highlights a strategic focus on disabling defenses early, rather than relying solely on evasion techniques within ransomware encryptors themselves.

Interestingly, ESET notes that these tools are often selected by ransomware affiliates rather than core operators. This decentralized approach leads to a wider variety of tools and techniques being used across campaigns. Historically, attackers have relied heavily on Bring Your Own Vulnerable Driver (BYOVD) techniques, where legitimate but flawed kernel drivers are exploited to disable security protections. ESET identified 54 such tools abusing 35 vulnerable drivers.

However, attackers are now diversifying their methods. Many are leveraging legitimate anti-rootkit tools like GMER and PC Hunter to terminate security processes using built-in high-privilege capabilities. At the same time, a growing number of driverless EDR killers such as EDRSilencer and EDR-Freeze are emerging, capable of disrupting security tools without interacting with the kernel.

These newer approaches are particularly concerning because they are harder to detect using traditional defenses focused on driver activity and can be adopted quickly after public release. ESET also highlights how EDR killers are increasingly shared, sold, or repackaged across multiple ransomware groups. Tools like AbyssKiller and CardSpaceKiller are reportedly used by various threat actors, including groups such as Qilin, Akira, and Medusa. The use of “packer-as-a-service” offerings like VX Crypt and HeartCrypt adds another layer of complexity, enabling attackers to obfuscate their tools and evade analysis.

Ad Banner

Additionally, the reuse of vulnerable drivers across unrelated tools makes attribution more difficult, as the same components may appear in different campaigns with no direct connection. The points to early indications that artificial intelligence may be lowering the barrier to developing EDR killers. Some tools exhibit behavior patterns such as automated trial-and-error routines that resemble AI-generated code structures.

While definitive proof remains limited, ESET suggests that AI could accelerate the creation and adaptation of offensive tooling, even as the underlying techniques remain relatively consistent. ESET warns that relying solely on driver-blocking strategies is no longer sufficient. By the time a malicious driver is detected or blocked, attackers may already have gained significant control over the system.

Organizations should strengthen system defenses to prevent privilege escalation and BYOVD abuse while closely monitoring the misuse of legitimate administrative and anti-rootkit tools. By leveraging telemetry-driven threat hunting, security teams can detect early-stage threats and respond quickly at every phase of an attack, minimizing potential damage and improving overall resilience.

The underscores a critical reality  in human-operated ransomware campaigns, detection alone is not enough. Effective defense depends on rapid, coordinated response across the entire attack chain. As ransomware tactics continue to evolve, organizations must adapt their security strategies to address increasingly sophisticated methods designed to disable defenses before attacks even begin.

Recommended Cyber Technology News:

To participate in our interviews, please write to our CyberTech Media Room at info@intentamplify.com



🔒 Login or Register to continue reading