EDR killers get popular. Here is how to stop them.

As ransomware actors increasingly turn to EDR killers, businesses need to tighten their security.

Monitoring ransomware trends globally, ESET researchers have observed an increase in the variety of EDR killers designed to hobble cybersecurity tools. The obvious goal is to allow smooth execution of the ransomware encryptor, posing yet another challenge for businesses trying to defend against financially motivated attacks.

In parallel, ESET Research also conducted a deeper analysis of the ransomware ecosystem, focusing on the newly emergent and currently dominating ransomware-as-a-service gang, RansomHub, and the structure of its affiliate network. Ultimately, the links between the rise in EDR killer variety and the APT group were revealed by following the trail of tooling that RansomHub offers. Understanding these connections can offer clues into growing detections of EDR killers and how defenders can mitigate these risks.

These scary-looking tools are stoppable, and proper prevention measures together with a reliable cybersecurity solution from an experienced security vendor should cover you.

Malware designed to seek out and disable enterprise security defenses has surged in popularity increasing by a staggering 333%, according to the Picus Red Report 2024.

Simpler versions of EDR killers take the form of scripts that straightforwardly try to terminate a list of processes. More sophisticated ones go beyond that and use the technique known as Bring Your Own Vulnerable Driver (BYOVD), abusing legitimate but vulnerable (usually older) drivers to access the kernel of a targeted operating system.

A typical EDR killer employs a user-mode component responsible for orchestration (killer code) to install a vulnerable driver, often embedded in its data or resources. Then it iterates over a list of process names and issues a command to the vulnerable driver to kill the process, abusing the driver’s access to the kernel.

Legitimate tools are abused by ransomware affiliates to work as EDR killers too. For example, rootkit removers, by nature, require access to kernel mode and need to closely inspect the internals of the operating system. This is a powerful functionality that can be abused by malicious threat actors.

Defending against EDR killers is not an easy task and requires a prevention-first approach toward cybersecurity and multilayered protection capable of detecting malware at multiple stages of an attack. Here are a few tips:

• High-quality EDR is a must – An EDR killer is a sophisticated attack tool; likewise, a cybersecurity solution deployed on the targeted endpoint needs to be top-grade. That means it should have detections for the malicious code abusing the vulnerable driver, even prior to execution. However, due to heavy obfuscation or other evasion techniques, this may not always be feasible.
• Tamper protection – This prevents unauthorized users from disabling or modifying the components or capabilities of a security solution.   
• Blocking vulnerable drivers – This can be achieved through strict policies regarding potentially unsafe applications (PUSA) and file-based detections. To avoid system disruption, consider starting with a “Detect but don’t clean” mode, then adding exclusions as needed, and finally switching to a “Detect and clean” mode.
• Vulnerability and patch management – Sophisticated threat actors may try to abuse a vulnerable driver already present on the compromised machine instead of relying on BYOVD. Therefore, having proper patch management in place is another effective method of defense.
• Harden Application Control– Improve your defenses via application control. For example via Windows Defender Application Control (WDAC), where you can create a policy that allows only selected drivers to be loaded. Other platforms leverage technologies like ESET’s Host-based Intrusion Prevention System, which uses a “Rule” to block an application.
• Limit access to endpoint security settings – Using a strong password to lock these settings adds another layer of protection.
• Know your environment – These tools require considerable focus and knowledge of protected systems to avoid interfering with legitimate software and causing business disruptions.   

Keep in mind that file encryption and subsequent extortion are typically the last stages of an attack. In other words, the network was previously breached and the attacker managed to gain admin privileges, which allowed moving to the EDR killer and ransomware deployment stages. The defenders’ job is to spot the attack early on to prevent it from progressing that far in the first place. This demonstrates the importance of prevention and the need for swift mitigation.

These detection rules available in the ESET Inspect system can help you spot and deflect threats utilizing EDR killers:

• Loaded Driver from Uncommon Location [D1303] – Some EDR killers load drivers from an uncommon location. This detection notifies admins about it.  
• Possible EDR Blinding - Vulnerable Driver [Q1301] – This detects the loading of vulnerable drivers used in the RealblindingEDR project.
• Vulnerable Driver Masquerading [Q1302] and Vulnerable Zemana Driver Loaded [Q1303] – These detect the dropping or loading of certain vulnerable versions of drivers that were observed being abused in ransomware attacks. They have a high threat-level severity and trigger the creation of an incident.
• Loaded Known Vulnerable Driver [D1302] – This raises a warning if one of multiple known legitimate but vulnerable drivers is loaded.

A prevention-first approach should not only include top-notch security products but also prioritize cyber hygiene and reducing burdens on IT staff. Alert fatigue is a real problem that can result in breaches if not addressed properly. Dealing with EDR killers requires considerable focus from IT specialists, and it is always good to have technologies that can keep things as simple as possible.  

To make the lives of IT staff easier, the ESET Protect Platform delivers a comprehensive range of capabilities unified within a single pane of glass, providing full visibility into protected systems. Moreover, all solutions and modules are designed to decrease the amount of attention and number of clicks and portals required, easing their operation to the maximum.

For example, ESET Inspect provides response actions that are easily accessible via a single click; these include shutting down an endpoint, isolating an endpoint from the rest of the network, or killing a running process. ESET Inspect allows proactive threat hunting via its powerful query-based IoC search. Thanks to its intuitive filtering options, it can be easily operated by admins. ESET Vulnerability & Patch Management also helps reduce alert fatigue with customizable patching policies, severity-based prioritization, filtering options, and centralized management.

Preventing cybercriminals from gaining admin privileges, and the persistence necessary to introduce EDR killers are the exact situations where the ESET prevention-first approach and multilayered security can shine.

EDR killers are a serious threat, but abuse of vulnerable drivers as an attack vector is well known and not on par with a zero-day attack leaving businesses completely defenseless. What makes vulnerable drivers a challenge to handle is the level of attention they require from admins and the sophistication of cybersecurity solutions needed to deal with them effectively.

Attacks like these show the importance of prevention being delivered via robust security. That security must not only be reliable but also straightforward, reducing the complexity of system protection to the minimum necessary.