Summary
Key Points:
- Qilin and Warlock ransomware groups are employing the bring your own vulnerable driver (BYOVD) technique to disable over 300 endpoint detection and response (EDR) tools on compromised systems.
- The impact includes significant disruption of security measures, allowing attackers to operate undetected while executing ransomware attacks, with Qilin being linked to 22% of ransomware incidents in Japan in 2025.
- Recommended actions include enforcing strict driver governance, allowing only signed drivers from trusted publishers, monitoring driver installation events, and maintaining a rigorous patch management schedule.
Technical Details: Qilin utilizes a malicious DLL ("msimg32.dll") to disable EDR solutions through DLL side-loading and employs various evasion techniques. Warlock exploits unpatched Microsoft SharePoint servers and uses a vulnerable NSec driver for kernel-level attacks.
MITRE ATT&CK Techniques:
- T1203 - Exploit Public-Facing Application (Initial Access)
- T1078 - Valid Accounts (Initial Access)
- T1562.001 - Impair Defenses: Disable or Modify Tools (Defense Evasion)
- T1211 - Exploit Driver (Privilege Escalation)
IOCs Mentioned: None mentioned
Join the discussion — sign up to comment, upvote, and save articles.