A new analysis found 54 EDR killers abusing 34 vulnerable drivers via the bring your own vulnerable driver (BYOVD) technique to gain kernel privileges and disable endpoint protections before encryption. These tools are developed by closed ransomware groups, proof-of-concept forkers, and marketplace sellers and include examples such as DemoKiller, EDRSilencer, and the Reynolds ransomware. #BYOVD #Reynolds
Keypoints
- 54 EDR killer tools leverage BYOVD by abusing 34 vulnerable drivers to achieve kernel-mode access.
- EDR killers are used to terminate security controls just before deploying encryptors, enabling easier evasion.
- Three developer types produce these tools: closed gangs (e.g., DeadLock, Warlock), POC forkers (e.g., SmilingKiller, TfSysMon-Killer), and marketplace sellers (e.g., DemoKiller/ΠΠ°ΡΠΎΠΌΠ΅Ρ, ABYSSWORKER, CardSpaceKiller).
- Variants include script-based killers, anti-rootkit utilities (GMER, HRSword, PC Hunter), and driverless tools like EDRSilencer and EDR-Freeze.
- Defenses should block commonly abused drivers and implement layered detection to monitor, contain, and remediate threats across the attack lifecycle.
Read More: https://thehackernews.com/2026/03/54-edr-killers-use-byovd-to-exploit-34.html