Ransomware Groups Are Now Turning Security Tools Against You, CyberShelter Analyst Observes
Qilin and Warlock campaigns reveal how attackers disable 300+ EDR solutions before launching ransomware
Recent ransomware activity linked to Qilin and Warlock highlights a dangerous shift in attacker strategy—disabling security before launching the attack.
According to analysis from Cisco Talos and Trend Micro, these groups are actively using the Bring Your Own Vulnerable Driver (BYOVD) technique to neutralize endpoint protection mechanisms.
However, the real concern is not just the technique itself—it’s what it enables.
What’s Actually Happening Behind the Scenes
In Qilin attacks, threat actors deploy a malicious DLL (msimg32.dll) using DLL side-loading.
This initiates a multi-stage infection chain that:
- Loads encrypted payloads into memory
- Evades detection mechanisms
- Disables logging and monitoring systems
As a result, attackers can execute their payload without triggering traditional security alerts.
The EDR Killer Capability
The most alarming capability comes next.
The malware:
- Loads vulnerable drivers
- Gains kernel-level access
- Terminates 300+ EDR and security tools across vendors
Therefore, once executed, the system is effectively left blind and defenseless.
Why BYOVD Changes the Game
CyberShelter analysis highlights that BYOVD is becoming a preferred technique because:
- It uses legitimate but vulnerable drivers
- It bypasses security at the kernel level
- It avoids detection by appearing trusted
Unlike traditional malware, this approach does not break security—it turns trusted components into weapons.
Warlock’s Multi-Layered Attack Strategy
Meanwhile, Warlock ransomware expands this model further.
The group combines:
- Vulnerable drivers for defense evasion
- Tools like PsExec for lateral movement
- Cloudflare tunnels for stealth communication
- Rclone for data exfiltration
Additionally, attackers maintain persistence using tools like TightVNC, ensuring long-term control before encryption begins.
The Silent Window Before Ransomware
One critical insight stands out:
Ransomware execution often occurs days after initial compromise.
This means attackers:
- Gain access
- Expand control
- Disable defenses
- Then execute ransomware
As a result, organizations that fail to detect early-stage activity face significantly higher impact.
Analyst Perspective
A CyberShelter analyst notes that modern ransomware operations no longer rely on speed alone.
Instead, attackers focus on:
- Stealth
- Persistence
- Defense evasion
This shift allows them to prepare the environment before triggering the final attack phase.
What Organizations Must Rethink
To defend against such attacks, organizations must move beyond traditional endpoint protection.
They should:
- Enforce strict driver control policies
- Monitor kernel-level activity
- Detect abnormal driver loading behavior
- Strengthen early-stage threat detection
- Reduce reliance on single-layer EDR solutions
Additionally, continuous monitoring of lateral movement and privilege escalation is critical.
Strategic Takeaway
This evolution in ransomware tactics reveals a critical truth:
Attackers no longer fight security tools—they disable them first.
By abusing trusted drivers and operating at the kernel level, they create an environment where detection becomes extremely difficult.
Because in today’s threat landscape,
the most dangerous attacks are the ones that silence your defenses before you even know they exist.