Ransomware Attackers Evolve Tactics to Disable Endpoint Security
Ransomware operators have expanded their methods to bypass endpoint security, moving beyond the traditional Bring Your Own Vulnerable Driver (BYOVD) technique. While BYOVD remains in use with 54 tools exploiting 35 vulnerable drivers attackers now employ script-based tools, misuse legitimate anti-rootkit software, and deploy fully driverless techniques to neutralize security defenses before encryption.
This shift prioritizes reliability, allowing ransomware affiliates to disable Endpoint Detection and Response (EDR) systems quickly rather than evading detection. Research from ESET, based on telemetry and incident investigations, identified nearly 90 active EDR killers used by major ransomware groups, including Akira, Medusa, Qilin, RansomHouse, and DragonForce. Many of these tools are commercially traded in underground marketplaces, reflecting a mature, profit-driven ecosystem.
Among the most prevalent tools is AbyssKiller, which combines the ABYSSWORKER rootkit with a HeartCrypt-packed loader, and CardSpaceKiller, frequently used by Akira, Medusa, and MedusaLocker. These tools leverage obfuscation techniques such as VX Crypt and VMProtect to evade detection, while others like SmilingKiller use control-flow flattening to complicate analysis. Some groups, like Warlock, deploy multiple EDR killers in succession, with recent samples showing signs of AI-assisted code generation.
Attackers often separate the EDR killer from its driver, manually installing the driver first to ensure functionality before executing the payload. This division of labor makes defense evasion more accessible, even to less skilled threat actors. The focus on disabling security tools rather than making encryptors stealthy has become the primary method for ensuring successful ransomware execution.
The impact is severe: victims face attacks where security measures are rendered ineffective before encryption begins. While driver blocking remains a necessary defense, organizations must also monitor for suspicious driver installations, enforce least-privilege access, and maintain strong endpoint telemetry to mitigate these evolving threats.
Source: https://cybersecuritynews.com/ransomware-actors-expand-edr-killer-tactics/
Plume Security, Inc cybersecurity rating report: https://www.rankiteo.com/company/plume-security-inc
Palo Alto Networks Unit 42 cybersecurity rating report: https://www.rankiteo.com/company/unit42
Drakontas LLC cybersecurity rating report: https://www.rankiteo.com/company/drakontas-llc
"id": "PLUUNIDRA1774009537",
"linkid": "plume-security-inc, unit42, drakontas-llc",
"type": "Ransomware",
"date": "3/2026",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'attack_vector': 'Endpoint security bypass (EDR killers, vulnerable drivers, '
'script-based tools, anti-rootkit software)',
'data_breach': {'data_encryption': 'Yes (ransomware encryption)'},
'description': 'Ransomware operators have expanded their methods to bypass '
'endpoint security, moving beyond the traditional *Bring Your '
'Own Vulnerable Driver* (BYOVD) technique. Attackers now '
'employ script-based tools, misuse legitimate anti-rootkit '
'software, and deploy fully driverless techniques to '
'neutralize security defenses before encryption. This shift '
'prioritizes reliability, allowing ransomware affiliates to '
'disable *Endpoint Detection and Response* (EDR) systems '
'quickly rather than evading detection. Major ransomware '
'groups, including Akira, Medusa, Qilin, RansomHouse, and '
'DragonForce, use nearly 90 active EDR killers, many of which '
'are commercially traded in underground marketplaces.',
'impact': {'operational_impact': 'Security measures disabled before '
'encryption, increased attack success rate',
'systems_affected': 'Endpoint Detection and Response (EDR) '
'systems, victim endpoints'},
'lessons_learned': 'Ransomware attackers are increasingly focusing on '
'disabling security tools (e.g., EDR) rather than evading '
'detection. The use of EDR killers, vulnerable drivers, '
'and obfuscation techniques has become prevalent, with '
'tools commercially traded in underground marketplaces. '
'Defense strategies must evolve to monitor suspicious '
'driver installations, enforce least-privilege access, and '
'maintain strong endpoint telemetry.',
'motivation': 'Financial gain (ransomware execution, data encryption)',
'post_incident_analysis': {'corrective_actions': ['Driver blocking',
'Least-privilege access '
'enforcement',
'Enhanced endpoint '
'telemetry'],
'root_causes': 'Use of EDR killers, vulnerable '
'drivers, and obfuscation '
'techniques to disable security '
'tools before encryption'},
'ransomware': {'data_encryption': 'Yes',
'ransomware_strain': ['Akira',
'Medusa',
'Qilin',
'RansomHouse',
'DragonForce',
'MedusaLocker']},
'recommendations': ['Monitor for suspicious driver installations',
'Enforce least-privilege access',
'Maintain strong endpoint telemetry',
'Block vulnerable drivers',
'Implement AI-assisted threat detection'],
'references': [{'source': 'ESET Research'}],
'response': {'enhanced_monitoring': 'Strong endpoint telemetry'},
'threat_actor': ['Akira',
'Medusa',
'Qilin',
'RansomHouse',
'DragonForce',
'MedusaLocker',
'Warlock'],
'title': 'Ransomware Attackers Evolve Tactics to Disable Endpoint Security',
'type': 'Ransomware',
'vulnerability_exploited': 'Vulnerable drivers (BYOVD), misused legitimate '
'software, obfuscation techniques (VX Crypt, '
'VMProtect, control-flow flattening)'}