Recent reports highlight the increasing threat posed by the Qilin and Warlock ransomware groups, who have adopted the bring your own vulnerable driver (BYOVD) method to undermine security defenses. According to investigations by Cisco Talos and Trend Micro, these groups are leveraging this technique to disable security tools on compromised systems effectively.
Ransomware Techniques and Strategies
Qilin’s strategy involves deploying a malicious DLL file, ‘msimg32.dll’, to initiate a complex infection process aimed at disabling endpoint detection and response (EDR) solutions. This DLL, implemented through DLL side-loading, can terminate over 300 EDR drivers from various security vendors, severely impacting system defenses.
The first phase of this attack utilizes a PE loader to set up the environment for the EDR disabling component. Researchers Takahiro Takeda and Holger Unterbrink from Talos explain that the secondary payload is encrypted within this loader. The DLL loader employs multiple evasion techniques, such as bypassing user-mode hooks and suppressing Event Tracing for Windows logs, allowing the EDR disabling payload to execute stealthily in memory.
Exploiting Driver Vulnerabilities
Once activated, the malware utilizes two key drivers: ‘rwdrv.sys’, a modified ‘ThrottleStop.sys’, for accessing physical memory, and ‘hlpdrv.sys’, to terminate processes linked to numerous EDR drivers. These drivers have been previously used in other BYOVD attacks, notably by the Akira and Makop ransomware groups.
The EDR disabling component unregisters monitoring callbacks before loading the second driver, allowing the malware to terminate processes without hindrance. Talos highlights the sophisticated methods these malware employ to bypass modern EDR protections.
Prevention and Future Outlook
Statistics from CYFIRMA and Cynet reveal that Qilin has been notably active, linked to 22 out of 134 ransomware incidents in Japan in 2025, accounting for 16.4% of attacks. Qilin primarily uses stolen credentials for initial access, focusing on post-compromise activities to expand its influence and maximize impact. On average, ransomware deployment occurs six days after initial compromise, underscoring the need for early detection and prevention strategies.
Simultaneously, the Warlock ransomware group continues to exploit unpatched Microsoft SharePoint servers while updating its toolset for enhanced persistence and movement. This includes using TightVNC for control and the NSec driver in BYOVD attacks to disable kernel-level security products.
Organizations are advised to permit only signed drivers from trusted publishers and monitor driver installation events rigorously. Maintaining an updated patch management schedule is crucial, particularly for software with exploitable driver components. Trend Micro emphasizes a multilayered defense approach focusing on kernel integrity to counter these threats effectively.
