Recent research has identified 54 tools that target endpoint detection and response (EDR) products by using a method called bring‑your‑own‑vulnerable‑driver (BYOVD). These tools rely on a total of 35 drivers that were signed by legitimate vendors but contain known flaws.
By loading a vulnerable driver, an attacker can obtain kernel‑mode (Ring 0) privileges, which give unrestricted access to system memory and hardware. Because Windows only accepts drivers that are signed, the malicious code brings a signed driver that can be abused, then uses it to turn off or bypass security components before the ransomware payload runs.
The technique is popular among ransomware‑as‑a‑service groups. New encryptor builds are released frequently, and each build must avoid detection. Using a BYOVD component lets the encryptor stay simple while the driver handles the privilege escalation.
In some cases the EDR‑killer and the encryptor are merged into a single binary, but most of the observed samples keep the functions separate. This modular approach makes it easier for attackers to update one part without changing the other.
Defenders can improve protection by monitoring driver loading events, verifying driver signatures against known good lists, and restricting the ability of non‑administrative accounts to install drivers. Keeping the operating system and driver packages up‑to‑date reduces the pool of vulnerable drivers that can be abused.