Ransomware groups Qilin and Warlock are exploiting vulnerable drivers to bypass 300+ endpoint detection and response solutions, highlighting critical gaps in enterprise security defenses.
Ransomware groups Qilin and Warlock have adopted sophisticated bring your own vulnerable driver (BYOVD) techniques to disable more than 300 endpoint detection and response (EDR) tools, according to recent research from Cisco Talos and Trend Micro. This emerging attack pattern represents a significant escalation in ransomware tactics, allowing threat actors to effectively neutralize security controls before encrypting victim systems.
Qilin's Multi-Stage EDR Killer
Cisco Talos researchers Takahiro Takeda and Holger Unterbrink discovered that Qilin attacks deploy a malicious DLL named "msimg32.dll" that initiates a complex infection chain. The DLL is launched through DLL side-loading and contains an encrypted EDR killer component.
"The first stage consists of a PE loader responsible for preparing the execution environment for the EDR killer component," the researchers explained. "This secondary payload is embedded within the loader in an encrypted form."
The malware employs multiple evasion techniques:
- Neutralizes user-mode hooks
- Suppresses Event Tracing for Windows (ETW) event logs
- Conceals control flow and API invocation patterns
Once these defenses are bypassed, the main EDR killer payload decrypts, loads, and executes entirely in memory while remaining undetected.
Dual-Driver Approach
The Qilin malware leverages two drivers to achieve complete EDR suppression:
rwdrv.sys - A renamed version of "ThrottleStop.sys" that provides kernel-mode hardware access to the system's physical memory
hlpdrv.sys - Terminates processes associated with over 300 different EDR drivers from various security vendors
This dual-driver approach has been previously observed in attacks involving Akira and Makop ransomware groups. Before loading the second driver, the malware unregisters monitoring callbacks established by EDR solutions, ensuring process termination proceeds without interference.
Qilin's Growing Threat
According to statistics from CYFIRMA and Cynet, Qilin has become the most active ransomware group in recent months, claiming hundreds of victims. The group was responsible for 22 out of 134 ransomware incidents reported in Japan in 2025, representing 16.4% of all attacks.
"Qilin primarily relies on stolen credentials to gain initial access," Talos noted. "After successfully breaching a target environment, the group places considerable emphasis on post-compromise activities, allowing it to methodically expand its control and maximize impact."
The average time from initial compromise to ransomware execution is approximately six days, emphasizing the critical need for early detection and prevention.
Warlock's Evolving Arsenal
Meanwhile, the Warlock ransomware group (also known as Water Manual) continues to exploit unpatched Microsoft SharePoint servers while updating its toolset for enhanced persistence and defense evasion.
Warlock has replaced its previous "googleApiUtil64.sys" driver with a legitimate-but-vulnerable NSec driver ("NSecKrnl.sys") in its BYOVD attacks. This driver allows the group to terminate security products at the kernel level.
During a January 2026 attack, Warlock deployed additional tools including:
- PsExec - For lateral movement
- RDP Patcher - Facilitating concurrent RDP sessions
- Velociraptor - For command-and-control communications
- Visual Studio Code and Cloudflare Tunnel - For tunneling C2 communications
- Yuze - For intranet penetration and reverse proxy connections across HTTP, HTTPS, and DNS
- Rclone - For data exfiltration
Critical Defense Recommendations
To counter BYOVD threats, security experts recommend:
- Driver Governance: Only allow signed drivers from explicitly trusted publishers
- Monitoring: Implement real-time monitoring of driver installation events
- Patch Management: Maintain rigorous patch schedules for security software, particularly those with driver-based components
- Multi-Layered Defense: Upgrade from basic endpoint protection to enforcing strict driver governance and real-time monitoring of kernel-level activities
"Warlock's reliance on vulnerable drivers to disable security controls requires a multilayered defense focused on kernel integrity," Trend Micro emphasized.
Broader Implications
The widespread use of vulnerable drivers to bypass security controls represents a fundamental challenge to traditional EDR architectures. With over 300 security products potentially vulnerable to these techniques, organizations must reassess their defensive strategies and implement more robust kernel-level protections.
These attacks demonstrate that ransomware groups are investing heavily in sophisticated techniques to evade detection, making early threat detection and rapid response more critical than ever. The six-day average timeline from compromise to encryption provides a narrow window for defenders to identify and neutralize threats before significant damage occurs.
The convergence of credential theft, sophisticated evasion techniques, and kernel-level attacks creates a perfect storm for enterprise security, requiring organizations to adopt defense-in-depth strategies that go beyond traditional endpoint protection.
Comments
Please log in or register to join the discussion