Qilin and Warlock Ransomware Use Vulnerable Drivers to Disable 300+ EDR Tools

The BYOVD approach represents a sophisticated evolution in ransomware tactics, allowing threat actors to bypass user‑mode defenses by exploiting kernel drivers that are often trusted by the operating system. Qilin’s deployment of a malicious DLL, msimg32.dll, demonstrates how attackers can embed encrypted payloads, neutralize user‑mode hooks, and suppress ETW logs, effectively rendering traditional EDR solutions blind. By loading rwdrv.sys to access physical memory and hlpdrv.sys to terminate EDR drivers, the group can cripple over three hundred security products in a single campaign, accelerating the path to ransomware encryption.

Warlock’s recent campaigns illustrate the rapid adoption of similar driver‑based evasion techniques, this time leveraging the vulnerable NSecKrnl.sys driver to achieve kernel‑level control. Coupled with legitimate tools such as PsExec, TightVNC, and Cloudflare Tunnel, the group builds a multi‑vector persistence framework that supports lateral movement, data exfiltration via Rclone, and command‑and‑control through Visual Studio Code. The integration of these tools underscores a broader trend: ransomware operators are blending custom kernel exploits with off‑the‑shelf utilities to create resilient, hard‑to‑detect infection chains.

For organizations, the rise of BYOVD attacks mandates a shift from conventional endpoint protection to comprehensive driver governance. Enforcing strict driver signing policies, continuously monitoring driver installation events, and maintaining an aggressive patch‑management cadence are essential controls. Additionally, investing in kernel‑integrity monitoring platforms can provide early warning of unauthorized driver activity. As ransomware groups continue to refine kernel‑level evasion, a layered defense that includes both endpoint and kernel visibility will be critical to mitigating the heightened risk.