low

Qilin and Warlock Ransomware Use Vulnerable Drivers to Disable 300+ EDR Tools

April 6, 2026·The Hacker News·Threat Intel
ransomwareedr-bypassbyovdqilinwarlockincident-response

Qilin and Warlock Ransomware Exploit Vulnerable Drivers to Kill 300+ EDR Tools

TL;DR


Qilin and Warlock ransomware groups are using Bring Your Own Vulnerable Driver (BYOVD) attacks to disable hundreds of endpoint detection and response (EDR) tools before deploying their payloads. Security teams need to immediately audit their systems for unauthorized kernel drivers and implement driver allowlisting policies.

What Happened

Cisco Talos and Trend Micro researchers have identified a sophisticated evasion technique being deployed by two major ransomware operations. According to their joint analysis published this week, Qilin and Warlock threat actors are leveraging vulnerable legitimate drivers to terminate over 300 different security products running on compromised Windows systems.

The attacks involve deploying a malicious DLL file named "msimg32.dll" that exploits kernel-level access to systematically disable endpoint protection before ransomware deployment begins. This represents a significant evolution in ransomware tactics, moving beyond simple process termination to kernel-level security bypasses.

Technical Analysis

BYOVD attacks exploit a fundamental trust mechanism in Windows: digitally signed drivers from legitimate vendors are automatically trusted by the operating system. Attackers abuse this by bringing their own copy of a vulnerable but legitimately signed driver, then exploiting known vulnerabilities to gain kernel-level privileges.

Once in kernel space, the malicious code can:


The "msimg32.dll" payload specifically targets security products by name, suggesting the ransomware operators maintain an extensive database of security tools and their process signatures. This level of preparation indicates these are not opportunistic attacks but carefully planned operations.

Impact & Who's Affected

This technique affects organizations running Windows endpoints with:


The impact is severe: once security tools are disabled, organizations lose critical visibility during the most crucial phase of a ransomware attack. Traditional indicators of compromise become invisible, and incident response capabilities are significantly degraded.

What You Should Do

Immediate Actions (Next 24 Hours):
1. Enable Windows Driver Signature Enforcement on all endpoints if not already active
2. Audit running drivers using tools like driverquery or PowerShell's Get-WindowsDriver
3. Review recent driver installations in Windows Event Logs (Event ID 219)
4. Implement driver allowlisting using Windows Defender Application Control (WDAC) or similar solutions

Ongoing Defense Measures:


The Bigger Picture

This development represents ransomware groups' continued arms race with security vendors. As EDR solutions become more sophisticated, attackers are moving deeper into the Windows kernel to maintain their advantage.

The targeting of 300+ security products demonstrates the industrialized nature of modern ransomware operations. These groups are investing significant resources in research and development, treating security evasion as a core business function.

Organizations should expect this technique to proliferate across other ransomware families quickly. The fundamental Windows driver architecture makes this class of attack particularly challenging to defend against, requiring a shift from reactive detection to proactive prevention through driver controls.

Source: The Hacker News, Cisco Talos, and Trend Micro research

← All Threat IntelSource: The Hacker News