EDR killers are now standard equipment in ransomware attacks

Ransomware attackers routinely deploy tools designed to disable endpoint detection and response software before launching encryptors. These tools, known as EDR killers, have become a standard component of ransomware intrusions. ESET Research tracked nearly 90 EDR killers actively used in the wild.

The workflow is consistent across groups: an attacker gains high privileges, deploys an EDR killer to disrupt security software, then runs the encryptor. Affiliates prefer this approach because it gives them a brief, reliable window to complete encryption without needing to continuously modify payloads to evade detection.

Affiliates pick the tools, operators supply the encryptor

In ransomware-as-a-service operations, operators typically provide the encryptor and supporting infrastructure. EDR killer selection falls to affiliates. The result, according to ESET researcher Jakub Souček, is that larger affiliate pools produce greater diversity in EDR killer tooling.

That division of labor also means defenders face a wider range of tools from a single ransomware brand, depending on which affiliate carried out a given attack.

Bring Your Own Vulnerable Driver dominates, with alternatives gaining ground

The Bring Your Own Vulnerable Driver technique remains the most common method. An attacker drops a legitimate but vulnerable driver onto a victim machine, installs it, then runs malware that exploits the driver’s vulnerability to gain kernel-level access. The technique is reliable, widely documented, and requires relatively little development effort.

A smaller and growing category of EDR killers achieves similar results without touching the kernel. These tools interfere with EDR communication or suspend processes in place, bypassing the need to exploit a driver entirely.

The simplest EDR killers rely on built-in administrative tools and commands, requiring no specialized driver or kernel access at all.

Blocking vulnerable drivers is necessary but not sufficient

Preventing vulnerable drivers from loading is an important defensive step, though several bypass techniques exist. The practical implication is that organizations need controls capable of disrupting EDR killers before they have the opportunity to load a driver in the first place.

AI-assisted development is entering the picture

At least some recently observed EDR killers show signs of AI-assisted code generation, according to ESET’s assessment. No definitive forensic marker reliably distinguishes AI-generated code from human-written code, particularly when attackers obfuscate or post-process their output.

One concrete example comes from a tool deployed by the Warlock ransomware gang. The tool includes a code section that prints a list of possible fixes, a pattern associated with AI-generated boilerplate. It also implements a trial-and-error mechanism that cycles through several unrelated, commonly abused device names until it finds one that works on the target system, rather than exploiting a single specific driver.

Souček noted that vibe coding is making the threat landscape more complicated to track and attribute.

Ransomware intrusions require a different defensive approach

Phishing campaigns and commodity malware stop once security solutions neutralize them. Ransomware intrusions do not follow that pattern. They are interactive, human-driven operations where attackers continuously adapt to detections, tool failures, and environmental conditions.

That distinction matters for how defenders prioritize resources and design detection strategies. EDR killer activity in particular requires proactive monitoring at the privilege escalation and driver installation stages, well before an encryptor is ever deployed.