
In 2026 ransomware attackers first disable your security software — then they strike. BYOVD techniques and encryption-less extortion have become the new standard. What are EDR killers, how does BYOVD work, and which four measures break the attack chain?
Ransomware attackers are following a new playbook in 2026. Where attackers once demanded a ransom directly after encrypting files, security researchers now consistently observe an intermediate step that makes attacks far more dangerous: completely disabling security software before a single file is encrypted or stolen. The tools used for this are called EDR killers, and in the first half of 2026 they have grown into a standard component of professional ransomware attacks.
What makes this so alarming? The very security layer that should protect organisations becomes the first casualty. IT teams that rely on their endpoint detection and response solution face an attacker who has already disabled that solution before any alarm sounds. The result: attacks that proceed invisibly until the damage is done.
EDR killers are tools specifically designed to terminate security software on a device. They target processes belonging to well-known security products — CrowdStrike Falcon, SentinelOne, Microsoft Defender for Endpoint, ESET, and Kaspersky — and forcibly shut them down at the kernel level. Once the EDR agent is no longer active, the attacker has free rein: encryption or data exfiltration can begin without detection.
In older attack scenarios, disabling security software was unreliable and noisy: modern products actively protected themselves against termination through the user interface. EDR killers circumvent that self-protection by operating not at the user layer but directly through the kernel, the lowest and most privileged level of the operating system.
The most common technique behind EDR killers is BYOVD, Bring Your Own Vulnerable Driver. Attackers install on the target system a legitimate but vulnerable driver — often an outdated driver from a well-known hardware or software vendor — that has higher kernel privileges than ordinary applications. Through that driver they can force processes at the kernel level to close, including the EDR agent. The driver itself is signed by a trusted publisher and is therefore not immediately flagged as malicious.
Security researchers published an in-depth analysis in June 2026 of the GentleKiller framework used by the Gentlemen ransomware group. This group, active since August 2025, grew in less than a year from 35 victims in the final quarter of 2025 to 478 victims in more than 70 countries by mid-2026. The framework reuses BYOVD techniques from other criminal groups and bundles them into a modular toolkit. The groups Qilin and Warlock were also linked in April 2026 to BYOVD attacks that disabled more than three hundred different EDR products. The attack pattern is therefore no longer the work of a small avant-garde: it is broadly deployed and actively maintained.
Alongside the use of EDR killers, security researchers in 2026 are documenting a second shift: extortion without encryption. Traditionally, ransomware operators encrypted their victim's data and demanded a ransom for the decryption key. In a growing number of recent attacks, attackers skip the encryption step entirely. Instead, they steal data and threaten to publish it or sell it to third parties.
The impact on the victim is equally severe, but the approach is simpler, faster, and less risky for the attacker. Less complex tooling, a shorter dwell time in the network, and — critically — victims still pay. Many organisations cannot determine after such an attack exactly what was stolen, whether it has already been published, or to whom it has been sold. That uncertainty is enough to prompt payment.
A related trend is the use of legitimate cloud services for the data exfiltration itself. Security researchers documented in several recent incidents that attackers used Azure Copy to transfer stolen data to external storage locations. Azure traffic is less likely to stand out in log files because it is normally also a routine part of business processes. Attackers choose this deliberately: hiding in normal traffic patterns.
No specific sector is immune, but attackers have become more selective. Fewer attacks, higher yield per victim — that is the pattern in the first half of 2026. Organisations holding critical data — customer records, intellectual property, financial information — but lacking mature security processes are the most attractive targets. That is not limited to large corporations: law firms, logistics companies, healthcare organisations, and manufacturing businesses with limited IT staff rank high on target lists.
Attackers typically follow a fixed path. An initial entry point via phishing, a vulnerable VPN, or exposed Remote Desktop Protocol. Then lateral movement to escalate administrator privileges. After that, installation of the EDR killer. And only then exfiltration or encryption. It is a structured, multi-phase process — not the random opportunistic attack of five years ago.
There are concrete technical measures that specifically address the BYOVD and EDR-killer tactic. They require active configuration, but are available on every modern Windows management platform.
The first measure is enabling Memory Integrity, also known as HVCI or Hypervisor-Protected Code Integrity, on Windows 11 devices. HVCI blocks the loading of unsigned or vulnerable drivers at the kernel level. It is a recommended setting in the Windows 11 security baseline available in Microsoft Intune. On older devices this can cause compatibility issues — test on a pilot group before broad deployment.
The second measure is activating the Microsoft vulnerable driver blocklist via Windows Defender Application Control or via the Intune security baseline. This list contains known vulnerable drivers that attackers exploit for BYOVD attacks and is periodically updated by Microsoft. Blocking these drivers removes an essential attack tool.
The third measure is enabling Tamper Protection on all managed devices. Products like Microsoft Defender for Endpoint include a built-in protection layer that prevents the EDR agent from being terminated by software. This is not always the default setting and warrants explicit verification in your Intune or Defender configuration.
The fourth measure is active monitoring for BYOVD indicators in your SIEM or MDR environment. Specific signals to watch for: the loading of unknown or outdated drivers, forced termination of security processes, and unusually high upload activity to cloud storage outside business hours. Actively monitoring these patterns enables an attack to be intercepted during preparation — before the actual payload executes.
Three focused checks for the next two weeks. Verify whether HVCI is active on your Windows 11 devices via Intune Device Compliance or via the Device Security section of the Windows Security Center. Verify whether Tamper Protection is enabled via the Microsoft Defender for Endpoint portal under device settings. And verify whether your SIEM or MDR provider has alerts for the loading of vulnerable drivers — if that alerting is absent, it is a priority.
Attacks via EDR killers are no longer a theoretical risk. They are actively used by professionally organised groups and affect organisations that have already invested in endpoint security. The countermeasures exist, but require active configuration and monitoring. Want to know how your current endpoint configuration compares to these threats, or need help setting up HVCI, Tamper Protection, and BYOVD detection? Contact Zarioh for a technical conversation.