DeadLock: Ransomware Groups Increasingly Turn to EDR Killers Outside Vulnerable Driver Tactics

Ransomware Operators Widen Use of EDR Killers to Evade Detection

Threat actors are increasingly deploying Endpoint Detection and Response (EDR) killers tools designed to disable security protections before executing ransomware attacks. A recent analysis by ESET Research, led by Senior Malware Researcher Jakub Souček, reveals that these evasion techniques have become a standard phase in modern ransomware intrusions.

Since ransomware encryptors generate significant noise by rapidly modifying files, attackers prioritize disabling security software rather than developing stealthy malware. This approach allows them to maintain simple, stable, and effective payloads.

The Expanding EDR Killer Landscape

ESET currently tracks nearly 90 EDR killers in active use, with the most common method being the Bring Your Own Vulnerable Driver (BYOVD) technique. In this attack, threat actors drop a legitimate but vulnerable driver onto a compromised system, exploit it to gain elevated privileges, and terminate protected security processes.

However, the threat landscape is evolving beyond BYOVD. Attackers now employ:

• Script-based tools (e.g., using taskkill or Windows Safe Mode)
• Legitimate anti-rootkit software (e.g., GMER, PC Hunter), which provides kernel-level access with minimal technical effort
• Driverless EDR killers (e.g., EDRSilencer, EDR-Freeze), which block network communications or freeze EDR processes without kernel interaction, complicating detection

Three Distribution Models for EDR Killers

The cybercrime ecosystem has structured the creation and distribution of these tools into three categories:

1. Closed ransomware groups (e.g., Embargo, DeadLock, Warlock) develop proprietary tools. Warlock, for instance, has abused nine different drivers and deploys multiple killers per attack.
2. Publicly available proof-of-concept code (e.g., BlackSnufkin’s BYOVD repository) is frequently modified to bypass basic security signatures.
3. Commercial "EDR killer as a service" tools (e.g., DemoKiller, AbyssKiller, CardSpaceKiller) are sold to affiliates of major ransomware operations like Qilin, Medusa, and Akira.

Flaws in Threat Attribution

ESET warns that driver-based attribution is unreliable the same vulnerable driver may appear across unrelated ransomware strains because affiliates, not core operators, select and deploy these tools. This complicates efforts to track and group threat actors accurately.

The rise of EDR killers underscores the need for multi-layered defenses, including strict application controls to block vulnerable drivers and unauthorized utilities, as well as monitoring for unusual administrative commands and anomalous network behavior.

Source: https://cyberpress.org/ransomware-groups-increasingly-turn-to-edr-killers/

Exelasis cybersecurity rating report: https://www.rankiteo.com/company/exelasis-ltd

"id": "EXE1775895854",
"linkid": "exelasis-ltd",
"type": "Ransomware",
"date": "4/2026",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"

{'attack_vector': ['BYOVD (Bring Your Own Vulnerable Driver)',
                   'Script-based tools',
                   'Legitimate anti-rootkit software',
                   'Driverless EDR killers'],
 'data_breach': {'data_encryption': True},
 'description': 'Threat actors are increasingly deploying Endpoint Detection '
                'and Response (EDR) killers tools designed to disable security '
                'protections before executing ransomware attacks. A recent '
                'analysis by ESET Research reveals that these evasion '
                'techniques have become a standard phase in modern ransomware '
                'intrusions. Attackers prioritize disabling security software '
                'to maintain simple, stable, and effective ransomware '
                'payloads.',
 'lessons_learned': 'The rise of EDR killers underscores the need for '
                    'multi-layered defenses, including strict application '
                    'controls to block vulnerable drivers and unauthorized '
                    'utilities.',
 'motivation': ['Financial gain', 'Data encryption', 'Extortion'],
 'post_incident_analysis': {'corrective_actions': ['Multi-layered defenses',
                                                   'Strict application '
                                                   'controls',
                                                   'Enhanced monitoring'],
                            'root_causes': ['Use of vulnerable drivers',
                                            'Exploitation of kernel-level '
                                            'access',
                                            'Deployment of EDR killers']},
 'ransomware': {'data_encryption': True,
                'ransomware_strain': ['Embargo',
                                      'DeadLock',
                                      'Warlock',
                                      'Qilin',
                                      'Medusa',
                                      'Akira']},
 'recommendations': ['Implement strict application controls to block '
                     'vulnerable drivers',
                     'Monitor for unusual administrative commands',
                     'Monitor for anomalous network behavior'],
 'references': [{'source': 'ESET Research'}],
 'response': {'enhanced_monitoring': ['Monitoring for unusual administrative '
                                      'commands',
                                      'Anomalous network behavior']},
 'threat_actor': ['Embargo', 'DeadLock', 'Warlock', 'Qilin', 'Medusa', 'Akira'],
 'title': 'Ransomware Operators Widen Use of EDR Killers to Evade Detection',
 'type': 'Ransomware',
 'vulnerability_exploited': ['Vulnerable drivers',
                             'Windows Safe Mode',
                             'Kernel-level access']}