EDR Killers and BYOVD: How 2026 Ransomware Disables Your Defences First

In 2026, the first move in most ransomware intrusions is not encryption — it is blinding the endpoint defence. “EDR killers” built on Bring-Your-Own-Vulnerable-Driver (BYOVD) are now a standard component of the attack playbook.

How BYOVD actually works

EDR runs as a protected process in kernel-adjacent space, so user-mode malware cannot simply kill it. BYOVD gets around this by loading a legitimately signed but vulnerable driver, then abusing its kernel primitive to terminate or blind the EDR from the kernel itself. Classic abused drivers include RTCore64.sys (MSI Afterburner), gdrv.sys (Gigabyte), and truesight.sys. Tooling like AuKill and RansomHub’s EDRKillShifter productised this for affiliates.

The flow: drop a signed vulnerable driver, register it as a kernel service, send crafted IOCTLs to gain an arbitrary kernel read/write, then walk the process list and strip the EDR’s protection or kill its threads.

Why it is so effective

• The driver is signed — it passes signature checks that block unsigned code.
• The kill happens in the kernel, below most user-mode telemetry.
• Once the EDR is blind, the rest of the intrusion (lateral movement, exfil, encryption) runs unobserved.

Defences that work

1. Enable the Microsoft Vulnerable Driver Blocklist. On Windows it blocks known-abused drivers at the HVCI layer:

   # Windows Security > Device Security > Core Isolation, or via policy.
   # Verify it is on:
   Get-CimInstance -ClassName Win32_DeviceGuard -Namespace rootMicrosoftWindowsDeviceGuard

2. Turn on HVCI / Memory Integrity so unsigned and known-vulnerable drivers cannot load.
3. Hunt for driver drops: new kernel-service registration + a driver written to C:WindowsSystem32drivers by a non-system process is a high-signal detection.
4. Tamper protection on your EDR, and alert on EDR-agent service stops or telemetry gaps.

For Indian teams

RBI- and SEBI-regulated entities are expected to detect and respond to exactly this class of defence-evasion. RingSafe red-team engagements emulate BYOVD so your blue team learns to catch the driver drop, not just the ransom note. See our VAPT & red-team services.