In recent years, EDR killers have become one of the most commonly seen tools in modern ransomware intrusions: an attacker acquires high privileges, deploys such a tool to disrupt protection, and only then launches the encryptor. Besides the dominating Bring Your Own Vulnerable Driver (BYOVD) technique, we also see attackers frequently abusing legitimate anti-rootkit utilities or using driverless approaches to block the communication of endpoint detection and response (EDR) software or suspend it in place. These tools are not just plentiful, but also behave predictably and consistently, which is precisely why affiliates reach for them. In this blogpost, we present our view of EDR killers, grounded in ESET telemetry and incident investigations. The research is based on the analysis and tracking of almost 90 EDR killers actively used in the wild. Our focus goes beyond the vulnerable drivers that dominate most discussions: we document how affiliates select, adapt, and operate EDR killers across real intrusions, and what that means for attribution and defense. We explain why driver-centric analysis often misleads group attribution, show concrete cases of driver reuse and switching across unrelated codebases, and highlight the growth of driverless disruption alongside commercialized, hardened kits. The result is a clear, evidence-based picture of how EDR killers function as a predictable stage in modern ransomware operations. Key points of this blogpost: EDR killers are a fundamental part of modern ransomware intrusions; affiliates prefer a short, reliable window to run encryptors rather than constantly modifying payloads. Affiliates, not operators, pick the EDR killers; larger affiliate pools lead to greater tooling diversity. The same driver appears in unrelated tools, and the same tool can migrate between drivers. Consequently, driver-based attribution to groups is often misleading. Packer as a service and “EDR killer as a product” increase availability, muddy attribution, and add defense complexity. EDR killers implement defense evasion techniques, while encryptors focus purely on encryption. We strongly suspect that AI assisted with the development of some EDR killers, and we provide a concrete example with the Warlock gang. While BYOVD dominates, custom scripts, anti-rootkits, and driverless EDR killers are utilized as well. The EDR killer landscape ESET researchers focus beyond the vulnerable drivers so often abused by these tools. As we will demonstrate, drawing any connections solely based on the misused drivers is insufficient and can lead to incorrect assumptions. The landscape this research unveils is massive, ranging from endless forking of proofs of concept (PoCs) to complex professional implementations. Focusing on commercial EDR killers (advertised on the dark net) allows us to gain a better understanding of their customer base and spot otherwise hidden affiliations. In-house developed EDR killers offer insights into the inner workings of closed groups. Furthermore, vibe coding is making matters even more complicated. We provide a technical overview of EDR killers, including vulnerable drivers, in the The technology behind EDR killers section. At the time of writing, our insight into the EDR killer landscape is based on the following: We detect a total of almost 90 EDR killers actively used in the wild by basically any ransomware gang, big or small: ○ 54 of these are BYOVD-based, abusing a total of 35 vulnerable drivers, ○ 7 of these are script-based, and ○ 15 of these are anti-rootkits or other freely available software. For 24 of the BYOVD-based EDR killers, we are not aware of a publicly available PoC they are based on; we assess that their developers implemented these tools from scratch and were inspired only by the driver exploitation code. Throughout this blogpost, we refer to entities forming the ransomware-as-a-service model as follows: Operators , who develop the ransomware payload, manage decryption keys, maintain the dedicated leak site, often negotiate the ransom payment with victims, and offer other tooling and services for a monthly fee or a percentage from the ransom payment (typically 5–20%). Affiliates , who rent ransomware services from operators, deploy encryptors to victims’ networks, and exfiltrate data from victims’ machines. Why are EDR killers so popular? To successfully encrypt data, ransomware encryptors need to evade detection. Nowadays, a wide range of mature evasion techniques is available, ranging from packing and code virtualization to sophisticated injection. However, we rarely see any of these implemented in encryptors. Instead, ransomware attackers opt for EDR killers to disrupt security solutions right before encryptor deployment. This different approach naturally raises the question: why not rather invest into making encryptors undetected? Reliability and operational simplicity for encryptor developers Ransomware gangs, especially those with ransomware-as-a-service (RaaS) programs, frequently produce new builds of their encryptors, and ensuring that each new build is reliably undetected can be time-consuming. More importantly, encryptors are inherently very noisy (as they inherently need to modify a large number of files in a short period); making such malware undetected is rather challenging. EDR killers provide a cleaner alternative. Instead of burying detection-evading logic inside every encryptor update, attackers simply rely on an external tool to disrupt or disable security controls immediately before execution, keeping encryptors simple, stable, and easy to rebuild. Low cost, high power As shown throughout this blogpost, EDR killers are extremely accessible. Not all intruders or affiliates have the skill set to develop their own defense evasion strategies. But thanks to large collections of public PoCs, EDR killers have essentially become “plug-and-play”. At the same time, EDR killers often rely on legitimate yet vulnerable drivers, making defense significantly more difficult without risking disruption of legacy or enterprise software. The result is a class of tools that offers kernel-level impact with minimal development effort, making these tools disproportionately powerful given their simplicity. Predictability and repeatability during intrusions Packing or injecting code may help an implant slip past detection, but it doesn’t ensure the long-term stability of the ransomware payload during the final phase of the intrusion. Due to the layered protection provided by security products, packed encryptors may still be detected in memory or at other stages of execution. EDR killers, on the other hand, provide a predictable and repeatable step in the attack chain, giving attackers a more deterministic workflow. Furthermore, EDR killers aim to disrupt the security solution as a whole, effectively getting rid of all protection layers. The technology behind EDR killers Scripts The simplest EDR killers don’t rely on vulnerable drivers or other advanced techniques. Instead, they abuse built-in administrative tools and commands such as taskkill , net stop , or sc delete to tamper with security product processes and services. These crude approaches still appear occasionally but are now mostly associated with low-skill ransomware threat actors and commodity malware. Slightly more sophisticated variants combine scripting with Windows Safe Mode. Since Safe Mode loads only a minimal subset of the operating system, and security solutions typically aren’t included, malware has a higher chance of disabling protection. At the same time, such activity is very noisy, as it requires a reboot, which is risky and unreliable in unknown environments. Therefore, it is seen only rarely in the wild. Gray zone: Anti-rootkits Years ago, before Microsoft enforced kernel-mode driver signing, rootkits flourished in the cybercrime ecosystem, hiding malicious activity by manipulating kernel structures. Their prevalence led to the development of specialized anti-rootkit tools designed to detect and remove them. Because rootkits operate in kernel mode, such tools naturally require high privileges and their own drivers to discover, enumerate, and neutralize the rootkits. Today, ransomware affiliates frequently abuse these same anti-rootkit tools: not to remove rootkits, but to cripple security solutions. Many anti-rootkits offer a user-friendly GUI that allows users (including attackers with little technical capability) to terminate protected processes or services. In other words, legitimate remediation tools have become convenient EDR killers when misused. Such tools include GMER (see Figure 1), HRSword , and PC Hunter . Figure 1. The GUI of GMER, a popular anti-rootkit solution Rootkits Although rootkits are largely rare in modern cybercrime, notable exceptions still surface. One example from last year is ABYSSWORKER , a kernel-mode rootkit that drew attention after its creators managed to sign it using certificates stolen from Chinese companies. These certificates had also been used to sign other malware and are therefore not specific to ABYSSWORKER. Since the stolen certificates belong to a trusted certificate chain, such a driver is still allowed to run in the kernel. And, to make matters more complicated, even certificate revocation is not a bulletproof option, as recently demonstrated by Huntress. Vulnerable drivers The BYOVD technique has become the hallmark of modern EDR killers: dominant, reliable, and widely used. In a typical scenario, an attacker drops a legitimate but vulnerable driver onto the victim machine, installs the driver, and then runs malware that abuses the driver’s vulnerability. The goal is to terminate protected processes or disable callbacks that security products rely on. Although there are thousands of legitimate vulnerable drivers, only a comparatively small subset is actively exploited in ransomware incidents. However, the availability of public PoCs means that t