cybersecurity researchers have identified a sophisticated attack method being used by ransomware operators to neutralize endpoint detection and response (EDR) tools on targeted systems. According to reports from Cisco Talos and Trend Micro, threat actors linked to the Qilin and Warlock ransomware families are employing a technique known as “bring your own vulnerable driver” (BYOVD) to disable more than 300 different security products.
The attacks aim to disarm the very software designed to protect computers, allowing the ransomware to deploy its payload without interference. This development represents a significant escalation in the tactics used by cybercriminal groups to ensure their malicious operations succeed.
Mechanics of the BYOVD Technique
The BYOVD method involves attackers installing a legitimate but outdated and vulnerable driver onto a compromised Windows system. Because these drivers are digitally signed by reputable hardware manufacturers, they are trusted by the operating system. The attackers then exploit known vulnerabilities within these drivers to gain high-level system privileges.
With this elevated access, the malicious code can directly interact with the Windows kernel, the core of the operating system. This enables the ransomware affiliates to terminate processes, delete files, and, most critically, disable security software. The technique is particularly effective because it operates at a privilege level that most security tools are not designed to monitor or block.
Specifics of the Qilin and Warlock Campaigns
In the case of Qilin ransomware attacks analyzed by Cisco Talos, the threat actors deploy a malicious dynamic-link library (DLL) file named “msimg32.dll.” This file is used to load a vulnerable driver, which then facilitates the disabling of security services. The driver exploited in these attacks is associated with a known hardware component, though specific identifiers are often stripped to hinder analysis.
Similarly, Warlock ransomware operators have been observed using the same core BYOVD methodology. By leveraging these flawed drivers, both groups can execute a pre-compiled list of commands designed to stop hundreds of EDR, antivirus, and other defensive processes. The comprehensive nature of this kill list suggests a high degree of planning and research into enterprise security environments.
Industry and Expert Response
The cybersecurity community has long been aware of the BYOVD threat. Microsoft has implemented measures such as vulnerable driver blocklists in Windows Defender and core isolation features like Memory Integrity in Windows Security. These defenses are designed to prevent unauthorized kernel-level access.
However, the continued success of these attacks indicates that not all systems have these protections fully enabled or updated. Security firms emphasize that the drivers being abused are old and have known Common Vulnerabilities and Exposures (CVE) entries. Their continued effectiveness highlights a gap between the availability of patches and their universal deployment across all endpoints in a network.
Broader Implications for Enterprise Security
This activity underscores a persistent challenge in cybersecurity: the reliance on layered defenses. When a single technique can undermine the primary endpoint security layer, organizations must rely on other controls. These include robust network segmentation, rigorous application allow-listing, and stringent privilege management to contain such breaches.
The fact that ransomware groups are systematically targeting and disabling EDR tools marks a shift towards more direct confrontation with security infrastructure. It moves beyond mere evasion, representing an active and aggressive counter-offensive against defensive software.
Looking ahead, security researchers and software vendors are expected to enhance behavioral detection for kernel-level activities and further harden driver validation processes. Organizations are advised to ensure that all kernel-mode driver protections are active and to maintain strict inventories of authorized drivers. The ongoing cat-and-mouse game between threat actors exploiting legacy vulnerabilities and defenders closing these avenues is likely to intensify, with driver security becoming an even greater focal point in enterprise security policies.
Source: Cisco Talos, Trend Micro
