Your EDR logs show nothing suspicious. The vendor console says all agents are active. Then the SOC gets paged at 2 a.m.: ransomware encrypting file shares across three regions. The EDR was running, technically. It just wasn't doing anything useful after the attacker killed it six hours earlier.
This is the 2026 ransomware playbook. EDR killers and initial access brokers (IABs) have industrialised the path from initial foothold to full encryption—and most endpoint defences weren't built to survive it.
How initial access brokers became a supply chain problem
Initial access brokers don't deploy ransomware. They sell credentials, VPN sessions, and authenticated shells to ransomware groups—think of them as wholesale distributors for network access.
The IAB market has matured considerably. Accesses are listed, priced by revenue size of the target, and sold through tiered affiliate relationships. A ransomware operator no longer needs their own phishing infrastructure. They buy access that was compromised weeks or months earlier—often via unpatched VPN appliances, stolen RDP credentials, or cookie-hijacking campaigns targeting employees who reuse passwords across personal and work accounts.
This matters for your incident response posture. By the time ransomware operators are inside your network, they have been planning the encryption event. They have mapped your domain, identified your backup infrastructure, and in most cases, already tampered with your endpoint defences.
Detection at the IAB-to-operator handoff is nearly impossible without knowing the access was for sale. Your realistic detection window is between IAB access and active lateral movement—and that window is typically measured in days, not weeks [source: https://securelist.com/state-of-ransomware-in-2026/119761/].
The EDR killer toolkit: what operators actually deploy
EDR killers come in two broad categories: bring-your-own-vulnerable-driver (BYOVD) attacks and direct process termination via abused signed binaries.
BYOVD is the more dangerous class. The attacker loads a legitimate but vulnerable kernel driver—one with a known vulnerability that allows an arbitrary write primitive—and uses it to kill or blind EDR agent processes from kernel space. Defenders cannot stop this at the agent level once the driver is loaded; the agent is already dead.
Direct process termination is noisier but still effective against environments that don't monitor EDR process liveness. Attackers with sufficient local privilege can use Windows native tooling or custom utilities to stop EDR services. In environments where tamper protection is misconfigured or disabled by an admin troubleshooting a deployment, this works without any kernel exploits.
What changed into 2026 is the packaging. BYOVD tooling is now integrated into ransomware affiliate kits as a scripted pre-deployment step—executed automatically before the ransomware payload runs [source: https://www.adaptivesecurity.com/blog/ransomware-the-ultimate-2026-guide-for-cybersecurity-teams].
Key indicators to alert on:
- A new kernel driver loaded by a non-system process
- An EDR agent process stopping without a corresponding admin session
- Suspicious sc.exe or net stop commands targeting security services
Mapping the 2026 kill chain to your detection gaps
The modern ransomware kill chain follows a consistent sequence: IAB access → operator reconnaissance → EDR kill → lateral movement → data exfiltration → encryption. Each phase has detection opportunities, but defenders frequently have the wrong controls mapped to the wrong phase.
IAB access phase — This is usually a legitimate credential used from an unusual IP range or at an unusual time. Detection here is behavioural: impossible travel, first-seen ASN, new device fingerprint. MFA is necessary but insufficient if the attacker has both the credential and the session cookie. Reconnaissance phase — Domain controller queries, LDAP enumeration, and WMI queries for installed software. These generate noise in large environments, which is why they go undetected. Baselining legitimate admin tooling is difficult, but worth doing for your most critical asset groups. EDR kill phase — This is where most organisations discover the intrusion in retrospect. Alert on EDR agent heartbeat failures across multiple hosts within a short window. A single agent failure is probably hardware; multiple agents failing together is an attacker. Lateral movement and exfiltration — By the time ransomware operators are moving laterally, they have often already exfiltrated data for double extortion. Monitoring for large outbound transfers to cloud storage endpoints outside your approved list provides a second detection opportunity before encryption starts [source: https://www.blumira.com/blog/ransomware-protection-defense-playbook].Endpoint hardening that survives a dedicated attacker
The single most impactful configuration change is enabling tamper protection on every EDR deployment. This stops the direct-termination class of EDR killers without additional tooling. Most enterprise EDR platforms support it; many deployments have it disabled because someone was troubleshooting years ago and never re-enabled it.
Beyond tamper protection:
Block vulnerable drivers at the kernel — Windows HVCI (Hypervisor-Protected Code Integrity) prevents unsigned or blocklisted drivers from loading. The Microsoft Vulnerable Driver Blocklist covers the most commonly abused BYOVD drivers. Enable HVCI on all Tier 0 and Tier 1 servers. If critical servers cannot run HVCI due to hardware age, those are your highest-priority hardware refresh candidates. Instrument EDR liveness independently — Your SIEM should receive a heartbeat from every EDR agent, separate from the EDR vendor console. If an agent stops reporting, you want a SIEM alert, not a dashboard anomaly discovered days later. Limit Tier 0 exposure — Most IAB access starts at an internet-exposed service. Network segmentation that prevents a valid credential from directly reaching a domain controller or backup server from the internet adds friction without blocking legitimate admin work. Jump hosts with session recording add an audit trail. Test your restore path, not just your backup path — Ransomware operators routinely destroy shadow copies and backup agents before triggering encryption. Verify that your recovery procedure works after a backup agent has been killed. Offline or immutable backup is not optional for critical systems.When controls fail: building a recoverable incident baseline
Even with these controls, a determined attacker will sometimes succeed. The difference between a recoverable incident and an existential one is dwell time and the speed of isolation.
Build your runbook around two assumptions: the attacker has likely been present for more than a week, and at least one credential set is compromised. Start network isolation and credential rotation before you have a complete forensic picture.
Your containment checklist should include: network isolation of affected segments, immediate suspension of any account that authenticated from an unfamiliar source recently, a process snapshot before remediation begins, and a call to your cyber insurance carrier before you start remediation. Carriers often have IR retainer relationships that are faster and cheaper than ad-hoc engagements—and they want to be involved before you make changes that complicate the claim.
Ransomware kill chains now systematically strip endpoint defences before a single file is encrypted. CloudAnzen maps your EDR configuration, tamper protection state, and backup agent health to your incident response controls continuously—so gaps surface before an attacker exploits them. Talk to us.