ZCyberNews
中文
Threat IntelHigh4 min read

Ransomware Gangs Evolve EDR Evasion, Adopt New Driver-Based Killers

ESET Research reports ransomware operators are expanding their arsenal of EDR-killing tools, moving beyond exploiting vulnerable drivers to using legitimate but maliciously signed drivers for stealth.

Ransomware Gangs Evolve EDR Evasion, Adopt New Driver-Based Killers

MITRE ATT&CK® TTPs (1)

Defense Evasion
T1562.001
Disable or Modify Tools

Click any technique to view details on attack.mitre.org

Executive Summary

Ransomware threat actors are systematically deploying a broader range of tools designed to disable Endpoint Detection and Response (EDR) software, a critical step preceding file encryption. According to ESET Research, this evolution now includes the use of maliciously signed but legitimate kernel-mode drivers to terminate security processes, moving beyond the earlier, more publicized reliance on exploiting known vulnerabilities in legitimate drivers. This shift represents a significant escalation in operational security, making detection more difficult and increasing the likelihood of successful ransomware deployment.

Technical Analysis

The core technical advancement documented by ESET is the transition from exploiting vulnerable drivers (the "Bring Your Own Vulnerable Driver" or BYOVD technique) to deploying custom, malicious drivers that are digitally signed. These signed drivers abuse the high system privileges inherent to the Windows kernel to manipulate kernel data structures and terminate processes associated with EDR and antivirus agents. Unlike BYOVD, which leverages a flaw in an existing, often outdated driver from a reputable vendor, this method involves a driver written by the threat actor but fraudulently or deceptively signed, often through compromised or purchased certificates. This grants the driver the necessary trust to load into the kernel, where it can then disable security controls with minimal friction. The technique is a direct response to improved vendor and operating system defenses against the loading of known vulnerable drivers.

Tactics, Techniques & Procedures

The primary TTP observed is the Defense Evasion technique of Impair Defenses (TA0040), specifically sub-technique T1562.001: Disable or Modify Tools. The execution flow typically follows a pattern: initial access (often via phishing or exploitation), establishment of a foothold, lateral movement, and then, prior to ransomware detonation, the deployment of the EDR killer. The malicious driver is loaded, often using standard Windows utilities like PnPUtil.exe, and once operational, it scans for and terminates processes, threads, and driver modules belonging to a predefined list of security products. This process is designed to be surgical, leaving the rest of the system operational to ensure the ransomware payload can execute unimpeded.

Threat Actor Context

While ESET's report does not attribute this specific technique to named threat groups, the adoption of signed driver-based EDR killers is consistent with the behavior of sophisticated, financially motivated ransomware operations. These groups continuously invest in research and development to overcome security improvements. The move from BYOVD to custom signed drivers suggests a level of resourcefulness and access to either code-signing certificate theft or underground markets where such certificates can be acquired. This tactic is not the domain of a single group but is becoming a standardized tool in the broader ransomware ecosystem, indicating knowledge sharing or parallel development among affiliates and core developers.

Mitigations & Recommendations

Organizations should implement a layered defense strategy. Critical measures include:

  • Enforcing Driver Allowlisting: Configure policies to block the loading of drivers not explicitly signed by trusted publishers or not on an approved list. Microsoft's Hypervisor-Protected Code Integrity (HVCI) is a core technology for this.
  • Vigilant Certificate Management: Monitor for and investigate the installation of drivers signed by new or unexpected certificate authorities or publishers.
  • Enhanced EDR Configuration: Deploy EDR solutions with protected processes and kernel-level self-defense mechanisms that can detect and block attempts at termination.
  • Strict Privilege Management: Adhere to the principle of least privilege, ensuring standard user accounts cannot load kernel drivers, and rigorously control administrative access.
  • Network Segmentation: Limit lateral movement to contain the impact of a security tool disablement, buying time for detection and response.
  • Threat Intelligence Integration: Subscribe to feeds that provide indicators and behavioral patterns for emerging EDR evasion tools to update detection logic proactively.

Stay Updated

Get the latest cybersecurity news delivered to your inbox.

Related Articles

Threat Actors Embed Malicious Payloads in .WAV Audio FilesMEDIUM
Threat Intel

Threat Actors Embed Malicious Payloads in .WAV Audio Files

SANS ISC reports threat actors are using .WAV audio files to deliver malware payloads, exploiting the format's ability to conceal malicious code within seemingly benign audio data.

2 min read
Researchers Map Over 1,250 Active C2 Servers Across Russian Hosting ProvidersHIGH
Threat Intel

Researchers Map Over 1,250 Active C2 Servers Across Russian Hosting Providers

A three-month investigation has identified more than 1,250 active command-and-control servers operating across 165 Russian hosting providers, forming a resilient infrastructure for malware and ransomware operations.

3 min read
The Gentlemen RaaS Internal Leak Exposes Admin, Affiliates, TacticsCRITICAL
Threat Intel

The Gentlemen RaaS Internal Leak Exposes Admin, Affiliates, Tactics

A leaked backend database from The Gentlemen RaaS operation reveals 9 accounts, admin TOX ID, initial access via Fortinet/Cisco edge flaws, and a 190,000 USD ransom payout.

CVE-2024-55591CVE-2025-32433CVE-2025-33073
4 min readThe Gentlemen