EDR killings and BYOVD: the tactic that exploits vulnerable controllers to knock down the defense and encryption data

Recently, a new analysis of the phenomenon known as "EDR Killers" once again put on the table a technique that has long been exploiting in ransomware intrusions: many of these programs designed to neutralize security solutions take advantage of legitimate but vulnerable drivers to be made with kernel privileges. According to ESET's research, more than half a hundred such tools use the tactic known as BYOVD - bring your own vulnerable driver -, using dozens of controllers with known failures to skip system protections.

In the field of cybersecurity it has become a recurring practice: before launching the encryption that will leave files inaccessible, malicious actors run a previous stage dedicated exclusively to disabling or evading endpoint defenses. This "shock tool" acts outside the main ansomware and makes it easier for the cipher to remain simple and stable, without the need to incorporate sophisticated evasion capabilities into its own code. The result is a more modular and reusable chain of attack, which is very attractive for criminal business models like the Ransomware- as- a- service.

The essence of BYOVD is relatively simple and dangerous: instead of loading an unsigned malicious driver - which is blocked in modern systems - the attacker installs or reuses a legitimate driver, signed by a supplier, which contains an exploitable vulnerability. With this failure it is possible to run code in kernel mode (Ring 0), the most privileged layer of the system, from which security processes can be completed, nullifying kernel callbacks and manipulating mechanisms that should protect the team. Bitdefender explains this pattern well in his explanation about BYOVD, where he details how the trusted driver model signed by Microsoft is abused to scale privileges: technology behind the BYOVD.

The ESET report documents almost 90 tools to kill EDRs, and notes that a significant portion of them rely on these vulnerable controllers. In some cases, the tools are specific to "closed" groups of ransomware that do not depend on affiliates; in others, they are forks or modifications of public concept tests that end up being used in the field. There is also an underground market where these types of utilities are bought and sold as services, which reduces the entry barrier for attackers with less technical skills.

Not all EDR kill families use signed drivers. ESET detected variants that use scripts and administrative commands native to Windows - such as taskkill or net stop - to force the arrest of security services, as well as legitimate support and analysis utilities that allow to complete protected processes. "No driver" projects have even started to appear that, instead of exploiting a vulnerable controller, block communication or put security solutions in a state of "coma" by other techniques. In any case, the objective is the same: to leave the machine as unprotected as possible just before the cipher is run.

From a defence perspective, the usual recommendation is obvious but complex to apply: it is necessary to prevent known controllers from being abusing in corporate environments. Microsoft maintains policies and documentation on driver signature modelling and restrictions on Windows systems, which help to understand why the burden of legitimate but vulnerable drivers is such a powerful proposal for attackers - and therefore so problematic for administrators: code signature policy in kernel mode.

However, blocking drivers in an organization is not a magic cure: EDR killers appear at the end of the attack chain, the moment the attacker is about to encrypt data. If a particular defense fails, the aggressor can test with another alternative tool or method. That is why experts insist that effective protection requires in depth: driver load control, continuous monitoring, detection of abnormal behaviors, network segmentation and response plans to contain malicious activities in early stages.

ESET research also shows a disturbing trend: the authors of these tools have prioritized the sophistication in the parts that interact with the user system (user-mode) to evade analysis and detection, leaving the final encryption simpler. In other words, the effort is no longer so much to make the ansomware unnoticed by itself, but to "leave the system without defenses" for the cipher to do its work with less obstacles. This separation of functions increases the operational efficiency of the bands and facilitates the reuse of malicious components.

For security teams and responsible IT means rethinking how the protections are measured and prioritized: it is not enough to trust a robust EDR solution if it can be put out of play by a relatively simple explosion. It is essential to have black and white lists of drivers, apply patches and updates, monitor driver installation and privilege lifting attempts, and maintain detection mechanisms that do not depend exclusively on individual processes. Additional resources on the BYOVD tactic and how to mitigate it are available in technical analysis and industry signatures, which help to understand behaviour and identify commitment indicators: detailed analysis of ESET and technical explanations about BYOVD like that of Picus Here..

In short, EDR killers remain an attractive tool for Ransomware groups because they are cheap, reliable and can be used independently of the cipher. The response, for its part, is to combine technical prevention, constant visibility and a response strategy that covers the entire cycle of the attack. Only in this way can the manoeuvre space of those who seek to turn off our defenses be reduced just before demanding a data rescue.