Cybercriminals Exploit 34 Vulnerable Drivers to Disable Security Systems
Recent investigations have uncovered that 54 distinct Endpoint Detection and Response (EDR) disabling tools are exploiting a total of 34 vulnerable drivers through a method known as Bring Your Own Vulnerable Driver (BYOVD). This technique allows attackers to neutralize security software, paving the way for deploying ransomware without detection.
EDR killers have become a staple in ransomware attacks, enabling cybercriminals to disable security measures before initiating file-encrypting malware. This approach ensures that the ransomware operates undetected, increasing the likelihood of a successful attack.
Jakub Souček, a researcher at ESET, highlighted the challenges faced by ransomware gangs, especially those operating under a Ransomware-as-a-Service (RaaS) model. He noted that producing new builds of encryptors that remain undetected is time-consuming. Moreover, the inherently noisy nature of encryptors, which modify numerous files rapidly, makes them difficult to conceal.
To address these challenges, attackers employ EDR killers as specialized tools to disable security controls before executing the ransomware. This strategy keeps the ransomware simple, stable, and easier to update. However, there have been instances where EDR termination and ransomware modules are combined into a single binary, as seen with the Reynolds ransomware.
A significant number of EDR killers leverage legitimate yet vulnerable drivers to gain elevated privileges. Among the nearly 90 EDR killer tools identified by ESET, more than half utilize the BYOVD tactic due to its reliability.
The BYOVD attack method involves attackers bringing a signed but vulnerable driver into the system to gain kernel-mode privileges, often referred to as Ring 0. At this level, code has unrestricted access to system memory and hardware. Since attackers cannot load an unsigned malicious driver, they use a driver signed by a reputable vendor that has a known vulnerability.
With kernel access, threat actors can terminate EDR processes, disable security tools, tamper with kernel callbacks, and undermine endpoint protections. This abuse of Microsoft’s driver trust model allows them to evade defenses by exploiting the legitimacy of the signed but vulnerable driver.
The development and deployment of BYOVD-based EDR killers are primarily attributed to three types of threat actors:
1. Closed Ransomware Groups: Entities like DeadLock and Warlock that operate without affiliates.
2. Independent Attackers: Individuals who modify existing proof-of-concept code to create their own EDR killers, such as SmilingKiller and TfSysMon-Killer.
3. Cybercriminal Services: Operators who market EDR killer tools on underground forums, offering them as a service. Examples include DemoKiller (also known as Бафомет), ABYSSWORKER, and CardSpaceKiller.
ESET’s analysis also uncovered script-based tools that utilize built-in administrative commands like `taskkill`, `net stop`, or `sc delete` to disrupt the normal functioning of security product processes and services. Some variants combine scripting with Windows Safe Mode to enhance their effectiveness.
Operating in Safe Mode loads only a minimal subset of the operating system, excluding most security solutions. This increases the chances of successfully disabling protection mechanisms. However, this method is noisy, requiring a system reboot, which can be risky and unreliable in unfamiliar environments. Consequently, its use in the wild is relatively rare.
Another category of EDR killers includes anti-rootkits, which are legitimate tools designed to detect and remove rootkits. However, when misused, they can be employed to disable security measures, further illustrating the diverse tactics cybercriminals use to compromise systems.
