# Major Ransomware Groups Using Driver Exploitation to Neutralize 300+ EDR Solutions


Qilin and Warlock threat actors leverage vulnerable drivers to bypass endpoint detection and response tools, undermining a critical layer of enterprise cybersecurity


Threat actors associated with Qilin and Warlock ransomware operations are systematically disabling endpoint detection and response (EDR) solutions by exploiting vulnerable drivers through a technique known as "bring your own vulnerable driver" (BYOVD), according to new research from Cisco Talos and Trend Micro. The discovery represents a significant escalation in ransomware evasion tactics, with evidence suggesting these campaigns can effectively silence more than 300 distinct EDR tools.


## The Threat: BYOVD at Scale


The attackers are deploying a malicious DLL file named msimg32.dll to abuse legitimate but vulnerable drivers already installed on target systems. This approach allows threat actors to achieve kernel-level privilege escalation and disable security monitoring without requiring the deployment of additional malware or exploiting zero-day vulnerabilities. Instead, they leverage known vulnerabilities in legitimate drivers—a technique that has become increasingly weaponized across the ransomware ecosystem.


The scale of this operation is concerning: the identified campaigns demonstrate the capability to neutralize security tools across multiple vendors, suggesting either:


  • A shared toolkit or technique spreading across ransomware-as-a-service (RaaS) operations
  • Coordinated intelligence sharing among threat actor groups
  • A commercial or freely available exploitation framework designed specifically for EDR evasion

    • ## Background and Context: Understanding BYOVD


    ### What Is BYOVD?


    "Bring your own vulnerable driver" represents a fundamental shift in attack methodology. Rather than exploiting software vulnerabilities or using custom malware, attackers abuse legitimate, signed drivers that contain security flaws. Because these drivers are legitimate and often digitally signed by their vendors, security tools may trust and load them—making them effective for executing privileged operations while evading detection.


    This technique exploits a critical trust assumption: that signed drivers have been properly hardened and vetted. In practice, many drivers contain vulnerability that allow arbitrary code execution or manipulation of system security.


    ### The Players


    Qilin Ransomware: Emerged as a major ransomware-as-a-service operation offering affiliates access to sophisticated attack infrastructure. Qilin has targeted critical infrastructure, healthcare organizations, and large enterprises across multiple sectors.


    Warlock Ransomware: Another RaaS outfit known for targeting mid-to-large organizations. Warlock's operations have been linked to aggressive extortion tactics and high-ransom demands.


    Both groups operate under the RaaS model, meaning they license their ransomware and attack infrastructure to affiliate partners, allowing rapid scaling of attacks across multiple victim organizations.


    ## Technical Details: How the Attack Works


    ### The msimg32.dll Payload


    The malicious msimg32.dll file operates as a driver loader and privilege escalation mechanism. Here's the attack sequence:


    | Stage | Action | Purpose |

    |-----------|-----------|-----------|

    | 1. Initial Access | Compromised credentials or lateral movement from previous breach | Establish foothold with sufficient privileges to deploy DLL |

    | 2. DLL Placement | msimg32.dll placed in system directories or exploited via DLL search order | Enable automatic or forced loading by vulnerable application |

    | 3. Driver Exploitation | DLL abuses known CVE in legitimate Windows or third-party driver | Gain kernel-level code execution |

    | 4. EDR Bypass | Kernel code disables EDR hooks, memory scanning, and logging | Prevent detection of ransomware execution |

    | 5. Ransomware Deployment | Attacker proceeds with encryption and exfiltration | Complete ransomware attack undetected |


    ### Why This Works


  • Legitimacy: Signed drivers are trusted by Windows security mechanisms
  • Persistence: Vulnerable drivers often remain installed across multiple systems and updates
  • Scalability: A single BYOVD technique can disable multiple EDR vendors through common underlying vulnerabilities
  • Detection Evasion: Kernel-level operations can modify system logging and telemetry before EDR software sees them

    • ### EDR Tools Affected


    The research indicates that the identified techniques can disable EDR solutions from over 300 vendors, though specific products affected were not fully detailed in initial disclosures. This broad impact suggests the exploitation methods target common EDR hooking mechanisms rather than product-specific weaknesses.


    ## Implications for Organizations


    ### Immediate Risk


    Organizations running vulnerable driver versions face a critical exposure: their EDR tools may be providing false assurance of protection. If a system contains both a vulnerable driver and an unpatched vulnerability allowing initial code execution, ransomware actors can establish unmonitored persistence.


    ### Ransomware Evolution


    This development signals maturation in ransomware TTPs (tactics, techniques, and procedures):


  • Adversaries are moving up the stack: No longer content exploiting application-layer vulnerabilities, threat actors are now routinely engaging kernel-level attack surfaces
  • EDR is being treated as a barrier to overcome rather than an insurmountable obstacle
  • RaaS operations are investing in tooling: The availability of BYOVD techniques across multiple ransomware families suggests either commercialization or threat actor collaboration

    • ### Breach Confidence


    Organizations that believe they are protected by EDR monitoring should re-evaluate their threat model. EDR is one defense layer; if it can be disabled through kernel exploitation, a defense-in-depth approach becomes mandatory.


    ## Recommendations


    ### For Security Teams


    Immediate Actions:

  • Audit all installed drivers and remove or update any known to be vulnerable (check CISA's list of exploited BYOVD drivers)
  • Review EDR telemetry for evidence of kernel-level operations that shouldn't be occurring
  • Enable driver signature enforcement at the BIOS/UEFI level to prevent loading unsigned or suspicious drivers
  • Implement kernel patch protection and ensure driver updates are deployed promptly

    • Ongoing Measures:

  • Credential hygiene: Ensure that initial access (often gained through phishing or credential compromise) is prevented through MFA and password management
  • Network segmentation: Limit lateral movement capabilities so initial compromise doesn't automatically lead to widespread ransomware deployment
  • Backup strategy: Maintain offline, immutable backups that cannot be encrypted or deleted by ransomware, regardless of EDR effectiveness
  • Threat hunting: Conduct proactive searches for BYOVD techniques in historical logs and network traffic

    • ### For Endpoint Manufacturers


  • Conduct thorough security reviews of driver code, particularly around privilege escalation APIs
  • Implement secure coding practices to prevent kernel-level vulnerabilities
  • Provide rapid patching mechanisms for driver flaws

    • ### For EDR Vendors


  • Develop detection mechanisms specifically for BYOVD attacks and driver exploitation
  • Implement protected, kernel-level monitoring that cannot be easily disabled even if vulnerable drivers are exploited
  • Communicate clearly with customers about driver vulnerabilities that could impact EDR effectiveness

    • ## Conclusion


    The adoption of BYOVD techniques by major ransomware operations represents a significant threshold in the cyber threat landscape. Attackers have moved beyond evading endpoint security through obfuscation and polymorphism—they are now systematically dismantling the detection infrastructure itself.


    Organizations cannot afford to treat EDR as a complete solution. Rather, EDR should be one component of a comprehensive defense strategy that includes vulnerability management, network segmentation, threat intelligence, and incident response capabilities. The emergence of these techniques should prompt an immediate review of driver inventory, EDR confidence levels, and backup strategies across all affected enterprises.