Exploitation of BYOVD to Undermine Security Tools
Both Qilin and Warlock ransomware operations have been documented leveraging the Bring Your Own Vulnerable Driver (BYOVD) technique to disable security tools on compromised systems. This method involves deploying legitimate, yet vulnerable, drivers to bypass kernel-level protections. By using drivers such as rwdrv.sys and hlpdrv.sys, attackers gain elevated privileges and direct access to system memory, enabling them to terminate over 300 Endpoint Detection and Response (EDR) drivers, effectively neutralizing most security vendors' defenses.
This strategic use of BYOVD demonstrates a deliberate effort to circumvent hardened security measures. The attackers first load a renamed driver to serve as a hardware access layer, granting them the ability to interact with the systems physical memory. This step ensures an unobstructed path for the execution of the subsequent EDR-disabling payloads.
DLL Sideloading and Multi-Stage Infection Chains
An integral component of Qilins strategy involves the deployment of a malicious DLL file named msimg32.dll. Utilizing DLL sideloading, this file initiates a complex, multi-stage infection process designed to evade detection and disable active defenses. The primary stage introduces a Portable Executable (PE) loader, which sets up the environment for the secondary payload-a specialized EDR killer module.
The secondary payload, encrypted and embedded within the loader, is decrypted and executed entirely in memory. This method ensures that no traces are left on the disk, further complicating detection efforts. The loader also employs advanced techniques to neutralize user-mode hooks, suppress Event Tracing for Windows (ETW) logs, and obfuscate control flows, ensuring that the malware operates undetected.
Countering EDR Monitoring Mechanisms
Qilins EDR killer component is particularly adept at undermining modern detection systems. The malware unregisters monitoring callbacks established by EDR solutions, effectively halting their ability to monitor processes. This ensures that the termination of EDR-associated processes can proceed without interruption, leaving the system defenseless against further exploitation.
The attackers' focus on disabling security tools highlights the growing sophistication of ransomware operations. By removing multiple layers of defense, Qilin and Warlock ensure that their malicious payloads can execute without encountering resistance. This strategic targeting of EDR capabilities represents a significant challenge for enterprise security teams.
Encrypted Payloads and Advanced Evasion Techniques
The malware's design incorporates a range of evasion strategies to bypass detection mechanisms. The DLL loader not only decrypts the embedded payload but also obfuscates its activities by concealing API calls and control flow patterns. This makes static and dynamic analysis by security tools exceedingly difficult, providing attackers with a substantial operational advantage.
Additionally, the suppression of ETW event logs further reduces the visibility of malicious activity. This ensures that even advanced monitoring solutions may fail to detect the execution of the ransomwares payloads. The result is a highly stealthy attack chain that flies under the radar of traditional detection frameworks.
Rising Threat from Qilin and Warlock Ransomware Groups
Statistical analyses from CYFIRMA and Cynet indicate that Qilin is currently among the most active ransomware groups globally. The group has claimed responsibility for a significant proportion of recent attacks, particularly in regions such as Japan, where they accounted for 16.4% of all ransomware incidents in 2025. The group primarily relies on stolen credentials to gain initial access, underscoring the importance of robust identity and access management strategies.
By deploying sophisticated techniques like BYOVD and DLL sideloading, these groups demonstrate an advanced understanding of modern defensive architectures. Enterprises must adopt proactive measures, including endpoint hardening, continuous monitoring, and stringent access controls, to combat these evolving threats effectively.