Ethical Hacking News
Threat actors have been exploiting vulnerabilities in legitimate drivers to bypass security controls, giving rise to a new technique known as Bring Your Own Vulnerable Driver (BYOVD). This emerging threat has significant implications for organizations looking to protect themselves against ransomware and EDR killer attacks. To combat this threat, layered defenses and detection strategies are essential, and it is crucial that organizations stay vigilant in the face of evolving threats.
A recent analysis revealed that 54 EDR killers exploit 34 signed vulnerable drivers using the Bring Your Own Vulnerable Driver (BYOVD) technique.The vulnerability is exploited by bringing in legitimate yet maliciously modified drivers that have already gained kernel-mode privileges.EDR killer programs are increasingly common in ransomware intrusions to evade detection and exploit security features.Malware producers often struggle to make their encryptors undetectable, making BYOVD a reliable tactic.More than half of the nearly 90 EDR killer tools detected by ESET rely on legitimate yet vulnerable drivers.BYOVD attacks aim to gain kernel-mode privileges, allowing attackers unrestricted access to system memory and hardware.Three types of threat actors develop BYOVD-based EDR killers: closed ransomware groups, attack groups forking proof-of-concept code, and cybercriminals marketing tools on underground marketplaces.EDR killer programs often incorporate sophisticated defense-evasion techniques to bypass security software.Organizations need layered defenses and detection strategies to proactively monitor, flag, contain, and remediate threats.
Threat Detection / Endpoint Security
A recent analysis by a leading cybersecurity researcher has shed light on an increasingly sophisticated method employed by threat actors to bypass security measures and execute malicious payloads. The technique, known as Bring Your Own Vulnerable Driver (BYOVD), involves leveraging vulnerable drivers to gain elevated privileges and achieve its goals.
According to the report shared with The Hacker News, 54 endpoint detection and response (EDR) killers have been found to exploit a total of 34 signed vulnerable drivers. This vulnerability is exploited by bringing in legitimate yet maliciously modified drivers that have already gained kernel-mode privileges.
EDR killer programs have become an increasingly common presence in ransomware intrusions as they offer a way for affiliates to neutralize security software before deploying file-encrypting malware. The threat actors' goal of using EDR killers is not only to evade detection but also to exploit the lack of robust security features.
"Ransomware gangs, especially those with ransomware-as-a-service (RaaS) programs, frequently produce new builds of their encryptors, and ensuring that each new build is reliably undetected can be time-consuming," said ESET researcher Jakub Souček. "More importantly, encryptors are inherently very noisy (as they inherently need to modify a large number of files in a short period); making such malware undetected is rather challenging."
The report highlights the reliance on legitimate yet vulnerable drivers by more than half of the nearly 90 EDR killer tools detected by Slovakian cybersecurity company, ESET. The BYOVD tactic is considered reliable due to its ability to bypass security controls and disable security tools.
"The goal of a BYOVD attack is to gain kernel-mode privileges, often called Ring 0," Bitdefender explains. "At this level, code has unrestricted access to system memory and hardware. Since an attacker cannot load an unsigned malicious driver, they 'bring' a driver signed by a reputable vendor (such as a hardware manufacturer or an old antivirus version) that has a known vulnerability."
The BYOVD-based EDR killers are primarily developed by three types of threat actors:
Closed ransomware groups like DeadLock and Warlock that do not rely on affiliates
Attackers forking and tweaking existing proof-of-concept code (e.g., SmilingKiller and TfSysMon-Killer)
Cybercriminals marketing such tools on underground marketplaces as a service (e.g., DemoKiller aka Бафомет, ABYSSWORKER, and CardSpaceKiller)
EDR killer programs often incorporate sophisticated defense-evasion techniques that bypass security software. This includes anti-analysis and anti-detection capabilities that make the malware less detectable.
The implication of this finding is that organizations need layered defenses and detection strategies in place to proactively monitor, flag, contain, and remediate the threat at each stage of the attack lifecycle. The ESET report underscores the importance of staying vigilant against emerging threats and adapting security measures accordingly.
"To combat ransomware and EDR killers, blocking commonly misused drivers from loading is a necessary defense mechanism," said ESET. "However, given that EDR killers are executed only at the last stage and just before launching the encryptor, a failure at this stage means the threat actor can easily switch to another tool to accomplish the same task."
The report serves as a stark reminder of the evolving threat landscape and the need for continuous security awareness and education among organizations and individuals alike. As threats continue to evolve, so too must our defenses against them.
In conclusion, the BYOVD technique employed by 54 EDR killers is a testament to the ingenuity and persistence of modern-day threat actors. It also highlights the importance of staying up-to-date with the latest security measures and adapting to new threats as they emerge.
Related Information:
https://www.ethicalhackingnews.com/articles/The-Evolving-Threat-Landscape-54-EDR-Killers-Leverage-BYOVD-to-Exploit-Vulnerable-Drivers-ehn.shtml
https://thehackernews.com/2026/03/54-edr-killers-use-byovd-to-exploit-34.html
https://cyberwebspider.com/the-hacker-news/54-edr-killers-exploit-vulnerable-drivers/
Published: Thu Mar 19 15:51:32 2026 by llama3.2 3B Q4_K_M
