Trending

Ransomware Groups Escalate Use of "EDR Killers" to Blind Corporate Defenses, ESET Warns

The CyberSignal

The CyberSignal

3 min read
Minimalist vector art of a white security shield being deactivated by a red lightning bolt, representing the rise of EDR Killer malware.

A deep-dive investigation by ESET Research reveals that prominent threat actors, including RansomHub, are expanding their toolkit of specialized malware designed to disable Endpoint Detection and Response (EDR) agents.

BRATISLAVA, Slovakia — Security researchers at ESET have issued a comprehensive warning regarding the professionalization of "EDR Killers" — malicious tools specifically engineered to terminate or neuter security software. According to a series of technical reports released this week, ransomware gangs are no longer relying solely on "Bring Your Own Vulnerable Driver" (BYOVD) attacks, instead diversifying their methods to ensure administrative-level silence during the final stages of an intrusion.

The research highlights a significant uptick in the use of these tools by RansomHub, one of the most prolific ransomware-as-a-service (RaaS) operations of 2026, which has been observed utilizing customized "killers" to facilitate unhindered data exfiltration and encryption.

Ecosystem Impact
Security Vendors EDR providers are under pressure to move security logic into the hardware/firmware level to prevent software-based deactivation.
IT Operations Admins must re-evaluate the use of local admin accounts, as these are the primary keys used to unlock and kill EDR services.
Threat Hunting Hunting teams must now look for "the absence of noise"—identifying hosts that have suddenly gone quiet as a sign of compromise.
RaaS Economy The success of RansomHub highlights how specialized "bypass modules" are becoming the most valuable assets in the ransomware ecosystem.

Beyond the Vulnerable Driver: New Tactics

While BYOVD remains a staple tactic — where attackers install a legitimate but flawed third-party driver to gain kernel-level access — ESET warns that the ecosystem is evolving. This shift toward kernel-level termination follows a broader industry trend where attackers leverage compromised SaaS supply chains to gain the initial administrative foothold required to deploy these silencing tools.

The latest "EDR Killer" variants are leveraging:

  • Administrative Credential Abuse: Attackers are increasingly using stolen high-privileged credentials to simply uninstall security agents or modify registry keys to disable "tamper protection."
  • Service Manipulation: Malware is being used to forcibly stop security-related services by manipulating system permissions, often before the EDR can trigger an alert.
  • Kernel-Level Termination: Sophisticated tools are targeting the core communication channels between the EDR agent and the OS kernel, effectively "blinding" the sensor without completely killing the process.

The RansomHub Connection and Rival Synergies

ESET’s investigation into RansomHub uncovered startling ties between rival ransomware syndicates. The research suggests that the code used in several EDR Killers is being shared, sold, or leaked across the underground economy.

"We are seeing a convergence in the techniques used to bypass endpoint security," ESET researchers noted. "Ransomware groups are moving away from generic scripts toward bespoke, highly efficient binaries that can detect the specific EDR brand installed on a machine and apply the corresponding 'kill' method."

This "brand-aware" malware allows threat actors to move through the network with high confidence, knowing exactly how to dismantle the specific defensive hurdles in their path.

Remediation and Defense-in-Depth

The primary challenge of EDR Killers is that they often operate with the same privileges as the security software itself. ESET advises that relying on a single endpoint agent is no longer sufficient.

Recommended defenses include:

  • Enforcing Strict Tamper Protection: Ensuring that EDR agents cannot be uninstalled or disabled even by a local administrator without a cloud-managed secondary password.
  • MFA for Administrative Actions: Implementing Multi-Factor Authentication for any system-level changes, including service stops and driver installations.
  • Network-Level Behavioral Analysis: Utilizing network detection (NDR) tools that don't rely on endpoint agents to spot unusual data movement.

The CyberSignal Analysis

Signal 01 — The "Guardian" is the Target

This trend marks a fundamental shift in the cyber-arms race. For years, the EDR was the "unseen observer" that caught hackers in the act. Now, the observer has become the primary target. For CISOs, this means that the "Security Health" dashboard is now a potential point of failure. If your EDR agent stops reporting, it shouldn't be treated as a technical glitch; it must be treated as a High-Severity Incident until proven otherwise.

Signal 02 — The Commodity of Bypasses

The fact that RansomHub and its rivals are using similar EDR Killers suggests a highly efficient supply chain for "offensive-defense" tools. This "democratization" of kernel-level bypasses means that even mid-tier attackers can now execute attacks that were previously the domain of nation-state actors. Organizations must pivot toward Zero Trust Architecture, where no single system (even a security agent) is implicitly trusted to be operational.

Sources

Type Source
Primary Deep Dive ESET Research: Deep Dive into EDR Killers
Threat Intel Cybersecurity News: Ransomware Gangs Expand Tactics
Technical Analysis GBHackers: Understanding the EDR Killer Malware
RansomHub Focus ESET: RansomHub Ties Among Rival Gangs

Read more