Qilin and Warlock Ransomware Use Vulnerable Drivers to Disable 300+ EDR Tools
Summary
Threat actors behind Qilin and Warlock ransomware are employing the Bring Your Own Vulnerable Driver (BYOVD) technique to disable security software on compromised systems. This method involves using known vulnerable drivers to gain kernel-level access and then shutting down Endpoint Detection and Response (EDR) tools, rendering systems defenseless against further attacks. This strategy has been observed to impact over 300 EDR solutions.
IFF Assessment
The use of BYOVD to disable EDR tools is a significant threat to defenders, as it directly undermines their ability to detect and respond to ongoing attacks.
Defender Context
Defenders should be aware of the BYOVD technique and its increasing use by ransomware groups. Monitoring for unusual driver activity, especially unsigned or vulnerable drivers being loaded, is crucial. Maintaining up-to-date EDR solutions and hardening systems against unauthorized driver loading are key defensive measures.