Ransomware Attack Bypasses EDR with BYOI Technique

A newly discovered "Bring Your Own Installer" technique is being used to bypass SentinelOne’s tamper protection and disable its EDR agents, clearing the way for attackers to deploy Babuk ransomware.  

The technique, uncovered by researchers during a ransomware investigation, exploits a flaw in SentinelOne’s agent upgrade process. Instead of relying on third-party tools, threat actors use the legitimate SentinelOne installer to terminate active EDR processes.  

By forcefully stopping the install after it shuts down protections but before a new agent version launches, attackers leave devices unprotected, Bleeping Computer Reports.

The bypass does not depend on specific versions—Stroz Friedberg found it effective across multiple releases. Logs from the investigated incident showed attackers gained administrative access through a vulnerability, then ran the SentinelOne installer and killed the msiexec.exe process mid-install. This dropped the host offline in the SentinelOne console and allowed ransomware deployment.

SentinelOne privately issued mitigation guidance in January 2025, urging customers to enable the "Online Authorization" policy setting, which blocks unauthorized local upgrades or uninstalls. However, many environments still had it disabled. Ailes emphasized the importance of raising awareness, noting that even with guidance issued, clients remained vulnerable.

To help others, SentinelOne shared details with major EDR vendors. Palo Alto Networks confirmed that its EDR platform is not affected. This case highlights how native software functions—like installer behavior—can be hijacked if not properly secured and underscores the urgency of enforcing security policy settings in EDR deployments.

Takeaway: Let’s just call it what it is—attackers are turning your own tools against you. This “Bring Your Own Installer” trick is a perfect example. They’re not sidestepping security—they’re walking right through the front door, using legitimate installers to kill the EDR agent, then dropping ransomware while your system thinks everything’s normal.

This isn’t some fringe technique. Ransomware crews are putting real time and money into building EDR killers that don’t just evade— they neutralize. They know how endpoint protection works because they reverse-engineer it. They know exactly when to strike—like during an upgrade, when protections are temporarily offline—and they exploit that gap with surgical precision.

And here’s the truth most vendors won’t say out loud: EDR can be blinded, unhooked, or disabled. Full stop. Doesn’t matter how advanced the AI is or how pretty the dashboards are. If ransomware gets to the point where it’s encrypting files or stealing data, your EDR already lost.

The answer isn’t ditching EDR—it’s accepting that prevention alone isn’t enough. You need resilience. You need the ability to detect tampering and recover instantly when your first layer fails—because it will fail eventually.

Attackers aren't guessing. They’re executing playbooks. The question is whether your defenses are ready for the second move—because ransomware always comes with one.

Halcyon.ai eliminates the business impact of ransomware. Modern enterprises rely on Halcyon to prevent ransomware attacks, eradicating cybercriminals’ ability to encrypt systems, steal data, and extort companies – talk to a Halcyon expert today to find out more, and check out our quarterly RaaS and extortion group reference guide, Power Rankings: Ransomware Malicious Quartile.