EDR killers are becoming an increasingly favored tool among ransomware-as-a-service (RaaS) affiliates, with EDRKillShifter emerging as a notable threat. According to a recent report by ESET malware researchers Jakub Souček and Jan Holman, the tool is not alone—there has been a noticeable rise in the variety of EDR killers being used by attackers.

“However, it is not the only EDR killer out there; in fact, ESET researchers have observed an increase in the variety of EDR killers used by ransomware affiliates,” Souček and Holman wrote in the report.

These tools are designed to bypass endpoint detection and response (EDR) solutions that can typically recognize and block encryption payloads used in ransomware attacks. To remain undetected, affiliates rely on EDR killers, which presents a major hurdle for both cybersecurity vendors and internal IT security teams.

ESET’s defense approach includes flagging vulnerable drivers exploited by these tools as potentially unsafe, preventing their activation. The researchers urged organizations to implement similar protective measures.

They referenced the Living Off The Land Drivers (LOLD) project, which tracks over 1,700 vulnerable drivers. However, only a small subset of these are exploited for EDR killer activity, and that number has remained largely consistent.

Identifying and neutralizing these drivers remains a technical challenge. ESET’s analysis highlights how many EDR killers use obfuscated code to dodge early-stage detection. In particular, RansomHub’s EDRKillShifter conceals its shellcode using a 64-character password.

“Without the password, security researchers can neither retrieve the list of targeted process names nor the abused vulnerable driver,” they wrote in the report.

Due to its effectiveness, EDRKillShifter has been adopted by a growing number of affiliates associated with rival ransomware groups since it was released as a service on the dark web.

ESET researchers said they saw a “steep increase” in activity following the release.