Signed drivers used to kill EDRs

Attackers are using legitimately signed Windows drivers as a crowbar to shut off endpoint defenses before ransomware runs, according to new ESET research. (welivesecurity.com) The trick is called “bring your own vulnerable driver,” or BYOVD: an attacker loads an older or flawed driver that Windows will trust because it is signed, then abuses that driver’s kernel-level access to kill security processes. (eset.com) ESET said it tracked almost 90 endpoint detection and response, or EDR, killer tools in real intrusions, and 54 of them used BYOVD. The company said those 54 tools abused 35 vulnerable drivers in its March 19, 2026 research release, while also documenting script-based, anti-rootkit, and driverless variants. (welivesecurity.com) EDR software watches endpoints like laptops and servers for suspicious behavior, then blocks or investigates it. An EDR killer is a separate program attackers run first, after they already have high privileges, to blind that watchdog before they launch the encryptor. (eset.com) ESET said ransomware affiliates prefer this split design because file-encrypting malware is noisy by nature: it has to touch lots of files quickly. A dedicated killer lets crews keep the encryptor simple and rebuild it often while reusing the same defense-disabling component. (thehackernews.com) The researchers said driver-based clues alone can mislead incident responders. The same vulnerable driver can show up in unrelated tools, and the same tool can switch drivers, because affiliates — not just ransomware operators — often choose and modify the EDR killer they bring into a victim network. (welivesecurity.com) ESET tied the broader rise of these tools to the ransomware-as-a-service economy, where affiliates rent malware and supporting services. In a March 2025 study of RansomHub, the company said it had already seen affiliates reusing public proof-of-concept code and leaning on a relatively fixed set of abused drivers. (welivesecurity.com) Microsoft has been tightening its response on the platform side. Its official documentation says the vulnerable driver blocklist is enabled by default on Windows 11 version 22H2 devices, and the list is updated to block known risky drivers used in BYOVD attacks. (support.microsoft.com) Microsoft also says the blocklist is not guaranteed to catch every vulnerable driver, because the company balances security against compatibility and reliability. That leaves defenders with an inventory problem as well as a detection problem: they need to know which signed drivers are present, not just which malware files appear later. (learn.microsoft.com) ESET’s latest point is that the signed driver itself is often the opening move, not the payload. If the operating system trusts the wrong kernel component, the attacker can turn that trust into a way to silence the tools meant to stop them. (welivesecurity.com)