{"type":"rich","version":"1.0","provider_name":"Transistor","provider_url":"https://transistor.fm","author_name":"Daily Security Review","title":"Ransomware Gangs Deploy Kernel-Level EDR Killers to Evade Detection","html":"<iframe width=\"100%\" height=\"180\" frameborder=\"no\" scrolling=\"no\" seamless src=\"https://share.transistor.fm/e/72dcae13\"></iframe>","width":"100%","height":180,"duration":2076,"description":"Ransomware gangs are no longer just encrypting files and demanding payment—they are actively targeting the very defenses meant to stop them. Recent reports reveal a dramatic surge in the use of EDR killer tools, specialized malware designed to disable Endpoint Detection and Response (EDR) and antivirus systems at the kernel level. By silencing these crucial tools, attackers gain stealth, persistence, and freedom of movement across victim networks, leaving defenders blind to their activities until it’s too late.Central to this trend is the “Bring Your Own Vulnerable Driver” (BYOVD) technique. In these attacks, adversaries exploit legitimate but outdated or insecure drivers to load code directly into the Windows kernel, bypassing protections and tampering with security processes. The LOLDrivers project has catalogued hundreds of such exploitable drivers, which threat actors weaponize to neutralize leading security products.Several tools exemplify this escalation:EDRSilencer and EDRSandBlast manipulate Windows Filtering Platform APIs and vulnerable drivers to block telemetry, disable callbacks, and prevent defenders from seeing malicious activity.NimBlackout and AuKill abuse commercial drivers like gmer and even Microsoft’s Process Explorer driver, terminating EDR services before ransomware deployment.RealBlindingEDR, an open-source tool, has been customized by ransomware groups like Crypto24 to kill protections from nearly 30 security vendors.EDRKillShifter, wielded by RansomHub, Medusa, BianLian, and Play, dynamically loads vulnerable drivers and disrupts endpoint monitoring—often disguised as legitimate Windows services.What makes detection even harder is attackers’ increasing use of “living off the land” techniques. Instead of only deploying custom malware, they repurpose legitimate tools—such as HRSword, gpscript.exe, and vssadmin.exe—to disable protections and blend in with normal administrative activity. This tactic forces defenders to distinguish malicious...","thumbnail_url":"https://img.transistorcdn.com/pL79_MJFeJHamQ_ztImsGmDSMdl27VMk_30TAkieujE/rs:fill:0:0:1/w:400/h:400/q:60/mb:500000/aHR0cHM6Ly9pbWct/dXBsb2FkLXByb2R1/Y3Rpb24udHJhbnNp/c3Rvci5mbS8yNzg5/ZjlhNzM5Y2M4Njli/NjkxNzgyODA2Nzhi/MDI2ZC5wbmc.webp","thumbnail_width":300,"thumbnail_height":300}