When the Kill Chain Targets the EDR

ShakShak
3 min read

EDR isn’t just a defensive tool, it’s a prime target. Across recent incidents, attackers have shifted from evasion to direct EDR disruption. In 2024, approximately 25% of ransomware attacks incorporated “Bring Your Own Vulnerable Driver” (BYOVD) techniques turning supposedly trusted drivers into kernel-level weapons that silence endpoint defenses. One security vendor even reported a 333% surge in EDR-killer variants, highlighting how rapidly this threat model is evolving . In this landscape, monitoring EDR health isn’t about ticking a compliance box, it’s about catching early signs of compromise, like unusual service failures, configuration shifts, or telemetry gaps… well before alarms are raised.

Over the past few years, attackers have steadily shifted from simply evading security tools to outright disabling them. Early examples involved crude scripts or registry edits, but the tactics have matured. Bring-Your-Own-Vulnerable-Driver (BYOVD) attacks, signed driver abuse, and process-killing malware have become recurring features in campaigns from FIN7’s “AvNeutralizer” to LockBit’s internal tools. This trend has set the stage for today’s more advanced, widely shared “EDR killer” utilities, which operate at the kernel level and can silence multiple vendors’ products before an alert is raised.

Recent investigations from Sophos reveal that this capability is no longer the domain of a single actor or bespoke tool. At least eight ransomware groups are deploying unique builds of a driver-based EDR killer, sometimes protected with commercial packers and paired with stolen or expired certificates. The fact that each group uses its own compiled version hints at a shared development framework or a service model in the underground market. Combined with past BYOVD incidents, it suggests the industry is seeing an evolution from isolated tools to a common playbook for neutralising endpoint defenses.

💡
Security researchers from Guidepoint Security uncovered that Akira employed a BYOVD technique: installed a legitimate driver (ThrottleStop) and a malicious companion driver that modifies the Windows registry to disable Microsoft Defender. 

What to do

As we know too well in this environment, resilience comes from layers, not reliance on a single control. Maintaining a clean inventory of approved drivers, ensuring rapid isolation processes, and routinely testing detection and response procedures are practical ways to limit impact. Diverse detection approaches, looking not just for known malware but for suspicious behaviour like sudden service stoppages, configuration issues, and detection anomalies add another safety net. Regular threat-hunting using up-to-date intelligence helps keep pace with these evolving tactics, and rehearsed recovery plans ensure that even if one layer is stripped away, there is enough mitigation in place that the business can respond quickly and confidently.

Further Reading

Sophos: “Shared secret: EDR killer in the kill chain” (Aug 6, 2025)

BleepingComputer: “New EDR killer tool used by eight different ransomware groups” (Aug 7, 2025)

BleepingComputer: “Akira ransomware abuses CPU tuning tool to disable Microsoft Defender” (Aug 6, 2025)

Halcyon: Understanding BYOVD Attacks and Mitigation Strategies

Tom’s Guide: “Akira ransomware’s latest trick disables Microsoft Defender via BYOVD” (Aug 2025)

SentinelOne: “FIN7’s AvNeutralizer and the commoditization of EDR-bypass tools”

CyberDesserts: Ransomware in 2025: The New Criminal Playbook

0
Subscribe to my newsletter

Read articles from Shak directly inside your inbox. Subscribe to the newsletter, and don't miss out.

BYOVDmisconfigurationsdefensive securityransomwaresophosEDR#cybersecurityakiraDefender for Endpoint

Written by

Shak
Shak