Qilin and Warlock ransomware groups have been found to be using vulnerable drivers to silence security tools on compromised hosts, a technique known as Bring Your Own Vulnerable Driver (BYOVD). This new tactic allows them to disable 300+ EDR tools, making it difficult for organizations to detect and respond to attacks. Cybersecurity experts are warning that this is a critical vulnerability that organizations need to be aware of in order to protect themselves against these types of attacks.
Cybersecurity experts have recently discovered a new tactic used by Qilin and Warlock ransomware groups, which involves using vulnerable drivers to disable security tools on compromised hosts. This technique is known as Bring Your Own Vulnerable Driver (BYOVD), and it has the potential to significantly impact organizations that are not properly prepared for such attacks.
According to recent findings from Cisco Talos and Trend Micro, Qilin ransomware groups have been observed using the BYOVD technique to silence security tools running on compromised hosts. This is a particularly concerning development, as it highlights the evolving nature of cybersecurity threats and the need for organizations to stay up-to-date with the latest security best practices.
The Qilin ransomware group has been linked to 22 out of 134 reported ransomware incidents in Japan in 2025 alone, making it one of the most active ransomware groups in recent months. The group's tactics are becoming increasingly sophisticated, as they continue to update their toolset for enhanced persistence, lateral movement, and defense evasion.
One of the most notable aspects of Qilin's attacks is its use of a malicious DLL named "msimg32.dll," which initiates a multi-stage infection chain to disable endpoint detection and response (EDR) solutions. The DLL, launched via DLL side-loading, is capable of terminating more than 300 EDR drivers from almost every security vendor in the market.
"The first stage consists of a PE loader responsible for preparing the execution environment for the EDR killer component," said Takahiro Takeda and Holger Unterbrink, researchers at Talos. "This secondary payload is embedded within the loader in an encrypted form."
The DLL loader implements an array of techniques to evade detection, including neutralizing user-mode hooks, suppressing Event Tracing for Windows (ETW) event logs, and concealing control flow and API invocation patterns. As a result, it allows the main EDR killer payload to be decrypted, loaded, and executed entirely in memory while entirely flying under the radar.
Once launched, the malware makes use of two drivers: rwdrv.sys, a renamed version of "ThrottleStop.sys" that's used to gain access to the system's physical memory and act as a kernel-mode hardware access layer; and hlpdrv.sys, which terminates processes associated with over 300 different EDR drivers belonging to various security solutions.
It's worth noting that both drivers have been used as part of BYOVD attacks carried out in conjunction with Akira and Makop ransomware intrusions. This highlights the sophistication and adaptability of these groups, who are continually updating their tactics to stay one step ahead of security professionals.
"Prior to loading the second driver, the EDR killer component unregisters monitoring callbacks established by the EDR, ensuring that process termination can proceed without interference," Talos said. "It demonstrates the sophisticated tricks the malware is employing to circumvent or completely disable modern EDR protection features on compromised systems."
The discovery of Qilin's BYOVD technique has significant implications for organizations that are not properly prepared to defend against these types of attacks. According to statistics compiled by CYFIRMA and Cynet, Qilin has emerged as the most active ransomware group in recent months, claiming hundreds of victims.
In order to protect themselves against these types of attacks, organizations need to be aware of the critical vulnerability that Qilin's BYOVD technique represents. This includes allowing only signed drivers from explicitly trusted publishers, monitoring driver installation events, and maintaining a rigorous patch management schedule for updating security software, specifically those with driver-based components that could be exploited.
"The Warlock (aka Water Manaul) ransomware group continues to exploit unpatched Microsoft SharePoint servers, while updating its toolset for enhanced persistence, lateral movement, and defense evasion," Trend Micro noted. "This includes the use of TightVNC for persistent control and a legitimate-but-vulnerable NSec driver ('NSecKrnl.sys') in a BYOVD attack to terminate security products at the kernel level, replacing the 'googleApiUtil64.sys' driver used in prior campaigns."
The discovery of Warlock's tactics highlights the need for organizations to stay up-to-date with the latest security best practices and to prioritize kernel integrity. This includes upgrading from basic endpoint protection to enforcing strict driver governance and real-time monitoring of kernel-level activities.
"The reliance on vulnerable drivers to disable security controls requires a multilayered defense focused on kernel integrity," Trend Micro said. "Thus, organizations must upgrade from basic endpoint protection to enforcing strict driver governance and real-time monitoring of kernel-level activities."
In conclusion, the discovery of Qilin's BYOVD technique highlights the evolving nature of cybersecurity threats and the need for organizations to stay up-to-date with the latest security best practices. By allowing only signed drivers from explicitly trusted publishers, monitoring driver installation events, and maintaining a rigorous patch management schedule, organizations can significantly reduce their risk of falling victim to these types of attacks.
Related Information: