A new analysis reveals that 54 endpoint detection and response (EDR) killer programs are exploiting a technique called bring your own vulnerable driver (BYOVD), abusing a total of 34 vulnerable signed drivers to disable security software. These tools specifically target EDR systems that organizations rely on to detect and respond to cyber threats.

EDR killers have become a standard component in ransomware operations, allowing threat actors to neutralize security defenses before deploying file-encrypting malware. The BYOVD technique exploits legitimate but vulnerable drivers that are already signed by trusted vendors, making them appear legitimate to security systems.

The attack vector relies on loading vulnerable drivers into the system kernel, where they can be exploited to gain elevated privileges and disable protective software. By using signed drivers, attackers can bypass driver signature enforcement and other security mechanisms that would normally block malicious kernel-level code.

Organizations should implement driver allowlisting policies and ensure endpoint security solutions can detect BYOVD attacks. Security teams should also monitor for unusual driver loading activities and maintain updated inventories of known vulnerable drivers that could be exploited by these techniques.

The prevalence of EDR killers in ransomware campaigns demonstrates the sophistication of modern threat actors, who systematically target security infrastructure as part of their attack chains. This trend highlights the ongoing arms race between security vendors and cybercriminals.