{"id":324,"date":"2026-03-19T19:17:02","date_gmt":"2026-03-19T19:17:02","guid":{"rendered":"https:\/\/thedigitalfortress.us\/?p=324"},"modified":"2026-03-19T19:17:02","modified_gmt":"2026-03-19T19:17:02","slug":"54-edr-killers-use-byovd-to-exploit-34-signed-vulnerable-drivers-and-disable-security","status":"publish","type":"post","link":"https:\/\/thedigitalfortress.us\/?p=324","title":{"rendered":"54 EDR Killers Use BYOVD to Exploit 34 Signed Vulnerable Drivers and Disable Security"},"content":{"rendered":"
\n
<\/a><\/div>\n

A new analysis of endpoint detection and response (EDR) killers has revealed that 54 of them leverage a technique known as bring your own vulnerable driver (BYOVD) by abusing a total of 34 vulnerable drivers.<\/p>\n

EDR killer programs have been a common presence in ransomware intrusions as they offer a way for affiliates to neutralize security software before deploying file-encrypting malware. This is done so in an attempt to evade detection.<\/p>\n

\u00abRansomware gangs, especially those with ransomware-as-a-service (RaaS) programs, frequently produce new builds of their encryptors, and ensuring that each new build is reliably undetected can be time-consuming,\u00bb ESET researcher Jakub Sou\u010dek said<\/a> in a report shared with The Hacker News.<\/p>\n

\u00abMore importantly, encryptors are inherently very noisy (as they inherently need to modify a large number of files in a short period); making such malware undetected is rather challenging.\u00bb<\/p>\n

EDR killers act as a specialized, external component that’s run to disable security controls before executing the lockers themselves, thereby keeping the latter simple, stable, and easy to rebuild. That’s not to say there have not been instances where EDR termination and ransomware modules have been fused into one single binary. Reynolds ransomware is a case in point.<\/p>\n

\n
\"Cybersecurity\"<\/a><\/div>\n<\/div>\n

A majority of the EDR killers rely on legitimate yet vulnerable drivers to gain elevated privileges and achieve their goals. Among the nearly 90 EDR killer tools detected by the Slovakian cybersecurity company, more than half of them utilize the well-known BYOVD tactic simply because it’s reliable.<\/p>\n

<\/p>\n

\u00abThe goal of a BYOVD attack<\/a> is to gain kernel-mode privileges, often called Ring 0,\u00bb Bitdefender explains<\/a>. \u00abAt this level, code has unrestricted access to system memory and hardware. Since an attacker cannot load an unsigned malicious driver, they ‘bring’ a driver signed by a reputable vendor (such as a hardware manufacturer or an old antivirus version) that has a known vulnerability.\u00bb<\/p>\n

Armed with the kernel access, threat actors can terminate EDR processes, disable security tools, tamper with kernel callbacks, and undermine endpoint protections. The result is an abuse of Microsoft’s driver trust model to evade defenses, taking advantage of the fact that the vulnerable driver is legitimate and signed.<\/p>\n

The BYOVD-based EDR killers are primarily developed by three types of threat actors –<\/p>\n