54 EDR Killers Use BYOVD to Exploit 34 Signed Vulnerable Drivers and Disable Security

The cybersecurity world faced a problem that seemed already solved. 54 different tools for eliminating EDR systems (Endpoint Detection and Response) use the BYOVD technique — "bring your own vulnerable driver" — to disable security protection on victims' computers. This is no longer a marginal problem for specialists in a narrow circle. It is a threat that is systematically changing the landscape of ransomware attacks worldwide, and the Polish security market must prepare for it.

An analysis conducted by industry experts revealed something alarming: criminals are not creating new tools to attack protection systems. Instead, they are recruiting old, forgotten system drivers — 34 legitimate, digitally signed drivers — that contain vulnerabilities. These drivers, installed years ago on millions of computers, have become a universal key to disabling the most advanced security systems. This is a direct consequence of the lack of cooperation between hardware manufacturers and security companies.

For Polish organizations, especially those managing sensitive data or critical infrastructure, the message is clear: traditional approaches to protection are ending. EDR systems, which for years have been the last line of defense against ransomware, can be neutralized by attackers who possess only access to public information about vulnerabilities and the ability to install old drivers. Time for a fundamental change in security strategy.

How BYOVD became a weapon of mass destruction in the hands of cybercriminals

The BYOVD technique is not new — security specialists have been talking about it for at least several years. However, its popularity among ransomware groups has grown exponentially in the last two years. The concept is simple and brilliant in its simplicity: instead of developing their own zero-day exploits or illegal tools, attackers search for old system drivers that have a known vulnerability. These drivers are digitally signed by manufacturers, which means that Windows recognizes them as legitimate and allows them to operate with the highest privileges.

In practice, this means that when a cybercriminal gains access to a victim's network — usually through phishing, a web application vulnerability, or a weak password — they can install one of these old drivers. The operating system raises no warning flags because the driver has a valid signature. The attacker then exploits the vulnerability in the driver to gain access to the system kernel (kernel-level access). From this level, they can disable practically any security system — antivirus, EDR, firewall — before installing ransomware.

What is particularly dangerous is the fact that 34 vulnerable drivers come from reputable manufacturers — companies such as MSI, ASUS, Gigabyte and others. These are drivers for graphics cards, motherboards, cooling systems. An average user would never think that a driver from a hardware manufacturer could be a tool for attack. These drivers lie in repositories, are publicly available, and their vulnerabilities are documented in CVE (Common Vulnerabilities and Exposures) databases. Attackers don't need to be geniuses — they just need Internet access and basic knowledge of Windows systems.

54 EDR Killer tools — from small scripts to advanced packages

The number of 54 different EDR elimination tools may seem surprising, but when you look at it more closely, it becomes completely understandable. In the cybercriminal ecosystem, there is no single standard. Different ransomware groups, different operations, different levels of sophistication — each creates or adapts tools tailored to their needs. Some of these 54 tools are advanced packages with a graphical interface, others are simple PowerShell scripts that can be run in seconds.

Among them are tools such as Terminator, KDmapper and Mimidrv — each of them is known in security circles, but still actively used. Their popularity stems from simple mathematics: the cost of developing a new tool is high, and the risk of detection by security vendors is significant. Why create something new when you can adapt an existing solution to new vulnerabilities? This is the mentality that drives this ecosystem.

Polish organizations must understand that each of these 54 tools poses a potential threat. It's not that all of them will be used against Polish companies — but each one could be. Ransomware groups such as LockBit, BlackCat or Alphv do not operate in a vacuum. They exchange tools, copy techniques, adapt strategies. If an EDR Killer tool works in Germany, it will be tested in Poland. If it works in Poland, it will be used in the Czech Republic.

Signed drivers as the Trojan Horse of our time

One of the greatest ironies of modern security is the fact that digital signature — a mechanism created to protect against malicious software — has become a tool for attackers. When Microsoft and other manufacturers implemented code signing systems, the goal was to ensure that users install software from a trusted source. But these systems did not account for one problem: what if a trusted source (hardware manufacturer) creates software with vulnerabilities?

Vulnerabilities in drivers often are not the result of malice — they are simply bugs in the code that manufacturers did not catch during testing. These could be issues with input validation, buffer overflow errors, access control problems. Many of these vulnerabilities have existed for years before being discovered. Manufacturers release patches, but millions of computers never install them. For attackers, this is an ideal situation: an old driver, a known vulnerability, a public exploit.

The Polish IT industry must realize that you cannot rely solely on the code signing system. Many organizations do not update drivers for years — IT staff are too busy, and the drivers "work anyway". This is exactly what attackers need. Every unpatched driver is a potential gateway to the system.

Why EDR is no longer a sufficient line of defense

Over the last decade, EDR has become the holy grail of security. Organizations have invested millions of zlotys in advanced EDR systems, believing they protect them from the latest threats. EDR is indeed a powerful tool — it can detect anomalies in process behavior, analyze attack chains, and even automatically isolate infected machines. But EDR has a fundamental weakness: it operates at the user level (user-mode), while attackers can work at the kernel level (kernel-mode).

When an attacker gains kernel-mode access through a vulnerable driver, EDR becomes practically useless. It's like having a great alarm system in your home, but the thief has the key to the alarm system's electrical system. EDR can see what is happening at the user level, but cannot see or control what is happening at the kernel level. The attacker can disable EDR, remove its processes, block its communication with the server — all from the kernel level.

This means that organizations that placed all their hopes on EDR must now rebuild their defensive strategy. EDR is still important, but must be part of a multi-layered approach. Without this, organizations are exposed to the same type of attack that has caused losses reaching billions of zlotys for Polish companies over the past few years.

Paradigm shift: from perimeter protection to access protection

If traditional EDR is not enough, what should organizations do? The answer lies in a fundamental change in approach to security. Instead of relying on protection after an attacker penetrates the network — which is increasingly difficult — organizations must focus on access control and minimizing attack surface. This is a shift from the "defend the perimeter and then trust everything inside" model to the "never trust, always verify" model.

Zero Trust Network Access (ZTNA) approach is becoming an essential element of a modern security strategy. Instead of traditional VPNs, which give users access to the entire corporate network (and thus the entire attack surface), ZTNA allows users to connect directly to the applications they need. Every connection is verified, every user is authenticated, every access is logged.

For Polish organizations, especially those implementing hybrid work, ZTNA offers significantly better protection than traditional VPNs. An employee working from home does not have access to the entire network — they have access only to the applications they need. If their computer becomes infected with ransomware, the attacker cannot move laterally across the network because they don't have access to other systems. This is a fundamental change in the security model.

Polish infrastructure and BYOVD threat — risk analysis

The Polish IT and security industry faces a specific challenge. Many Polish organizations, especially medium-sized enterprises and public institutions, operate on older equipment. Computers that were state-of-the-art five years ago are still running in production. The drivers for this equipment have never been updated. This is an ideal environment for BYOVD attacks.

Additionally, the Polish industry has a tradition of low IT security budgets. Organizations often choose the cheapest EDR solutions instead of more advanced platforms. This means that when an attacker disables EDR through BYOVD, the organization remains practically without defense. Lack of multi-layered security approach, lack of ZTNA, lack of network microsegmentation — these are typical characteristics of the Polish security landscape.

Ransomware groups know this. Poland is perceived as a target with medium risk and high profit potential. Companies have money, but don't invest enough in security. This is a combination that attracts attackers. Over the past two years, Polish companies have suffered losses reaching tens of millions of zlotys due to ransomware attacks that could have been prevented through proper driver management and multi-layered defense.

Practical steps: how to defend against BYOVD

Although the threat is real, organizations have tools to defend themselves. The first and most important step is driver inventory and management. Every organization should know what drivers are installed on every computer. This is not a task for small companies, but for medium and large organizations it is absolutely essential. Tools such as Microsoft Intune, Jamf or other device management systems can automatically collect information about drivers.

The second step is implementing a driver update policy. Organizations must regularly update drivers, especially for hardware that has known vulnerabilities. Microsoft maintains a list of vulnerable drivers — organizations should regularly check this list and remove or update drivers that are on it.

The third step is implementing kernel-mode protection. Instead of relying solely on EDR operating at the user level, organizations should implement solutions that protect the system kernel. Technologies such as Hypervisor-Protected Code Integrity (HVCI) in Windows can prevent malicious drivers from being loaded. While not perfect, they can significantly hinder attackers' work.

The fourth step is implementing ZTNA and microsegmentation. Even if an attacker gains access to one computer, they should not have access to the entire network. ZTNA and microsegmentation limit lateral movement and force the attacker to take additional steps to reach their goal.

The future of security: you cannot win with defense alone

The ultimate lesson from the analysis of 54 EDR Killer tools and 34 vulnerable drivers is this: the traditional security model — building ever higher walls — doesn't work. Attackers will always find a way to breach the wall. Instead, organizations must move to a model where they assume attackers are already inside the network and focus on limiting what they can do.

For the Polish IT and security market, this means a fundamental change in the way of thinking. Investments in ZTNA, microsegmentation, identity and access management, as well as continuous monitoring and audits must become the norm, not the exception. Organizations that quickly adapt to this new paradigm will be protected. Those that stick to the old perimeter defense model will become increasingly exposed.

Cybercriminals will not wait. The number of EDR Killer tools will grow. The number of vulnerable drivers will grow. Attacks will become more sophisticated. The Polish industry must act now to prepare for what lies ahead.