54 EDR Killers Use BYOVD to Exploit 35 Signed Vulnerable Drivers and Disable Security
54 EDR Killers Use BYOVD to Exploit 35 Signed Vulnerable Drivers and Disable Security
https://thehackernews.com/2026/03/54-edr-killers-use-byovd-to-exploit-34.html
Publish Date: 2026-03-19 14:52:00
Source Domain: thehackernews.com
A new analysis of endpoint detection and response (EDR) killers has revealed that 54 of them leverage a technique known as bring your own vulnerable driver (BYOVD) by abusing a total of 35 vulnerable drivers.
EDR killer programs have been a common presence in ransomware intrusions as they offer a way for affiliates to neutralize security software before deploying file-encrypting malware. This is done so in an attempt to evade detection.
“Ransomware gangs, especially those with ransomware-as-a-service (RaaS) programs, frequently produce new builds of their encryptors, and ensuring that each new build is reliably undetected can be time-consuming,” ESET researcher Jakub Souček said in a report shared with The Hacker News.
“More importantly, encryptors are inherently very noisy (as they inherently need to modify a large number of files in a short period); making such malware undetected is rather challenging.”
EDR killers act as a specialized, external component that’s run to disable security controls before executing the lockers themselves, thereby keeping the latter simple, stable, and easy to rebuild. That’s not to say there have not been instances where EDR termination and ransomware modules have been fused into one single binary. Reynolds ransomware is a case in point.
A majority of the EDR killers rely on legitimate yet vulnerable drivers to gain elevated privileges and achieve their goals. Among the nearly 90 EDR killer tools detected by the Slovakian cybersecurity company, more than half of them utilize the well-known BYOVD tactic simply because it’s reliable.
“The goal of a BYOVD attack is to gain kernel-mode privileges, often called Ring 0,” Bitdefender explains. “At this level, code has unrestricted access to system memory and hardware. Since an attacker cannot load an unsigned malicious driver, they ‘bring’ a driver signed by a reputable vendor (such as a hardware manufacturer or an old antivirus version) that has a known vulnerability.”
Armed with…
