Cybersecurity researchers have uncovered a highly sophisticated ransomware campaign in which threat groups behind Qilin ransomware and Warlock ransomware are using advanced techniques to disable security defenses on compromised systems. According to findings from Cisco Talos and Trend Micro, attackers are leveraging a method known as Bring Your Own Vulnerable Driver (BYOVD) to bypass endpoint detection and response (EDR) tools.
In Qilin’s case, attackers deploy a malicious file disguised as a legitimate system component, initiating a multi-stage infection process. This begins with a loader that prepares the environment and decrypts a hidden payload directly in memory, avoiding detection. Once active, the malware uses vulnerable drivers to gain deep system access and terminate over 300 EDR tools across different vendors. By disabling logging mechanisms and bypassing monitoring hooks, the attackers effectively blind security systems before executing ransomware.
The technique relies heavily on exploiting legitimate but vulnerable drivers, such as modified versions of known system utilities, to operate at the kernel level. This allows attackers to interfere with core system processes and remove protections without raising alarms. By unregistering monitoring callbacks and suppressing system logs, the malware ensures that its actions remain undetected while it disables defenses and prepares for further exploitation.
Meanwhile, Warlock ransomware operators are using similar tactics but with additional tools to strengthen persistence and lateral movement. They have been observed exploiting unpatched Microsoft SharePoint servers to gain initial access. Once inside, they deploy a range of legitimate and malicious tools to move across networks, establish command-and-control channels, and exfiltrate sensitive data. These include remote administration utilities and tunneling tools that help maintain long-term access to compromised environments.
What makes these campaigns particularly dangerous is their structured approach. Instead of deploying ransomware immediately, attackers often wait several days after the initial breach, using that time to expand their control, disable defenses, and maximize impact. This delay makes early detection critical, as organizations may not realize they have been compromised until it is too late.
Security experts emphasize that defending against BYOVD attacks requires a layered approach. Organizations must strictly control which drivers are allowed to run, monitor system-level changes, and ensure all software is regularly updated. As attackers continue to exploit trusted components to bypass defenses, maintaining visibility at the kernel level and enforcing strong security policies has become essential.
This campaign highlights a growing trend in ransomware evolution where disabling security tools is no longer a secondary step, but a primary objective. As threat actors become more sophisticated, organizations must adapt their defenses to detect and stop attacks before they escalate into full-scale breaches.
Recommended Cyber Technology News:
- BigID Launches Unified AI and Data Privacy Platform
- Scamnetic and VanishID Partner to Strengthen Enterprise Scam Protection
- OneLayer Expands European Operations and Names Sander Teunissen as Sales Director, EMEA
To participate in our interviews, please write to our CyberTech Media Room at info@intentamplify.com
