Ransomware, Threat Intelligence

BYOVD technique employed by Qilin, Warlock ransomware gangs

Both the Qilin and Warlock ransomware operations have been moving to deactivate endpoint detection and response solutions in targeted systems through the bring your own vulnerable driver technique, The Hacker News reports.

Attacks by Qilin involved the delivery of an illicit DLL that triggers a multi-stage infection chain that terminates more than 300 EDR drivers, according to Cisco Talos researchers. Sophisticated EDR evasion tactics have been employed by the DLL loader, including Event Tracing for Windows event log and user-mode hook suppression, to allow the decryption of the primary EDR killer payload, which then exploits the rwdrv.sys and hlpdrv.sys drivers to infiltrate systems' physical memory and terminate EDR driver processes, respectively.

Another report from Trend Micro analysts showed that Warlock ransomware, also known as Water Manaul, tapped the TightVNC tool and NSec driver in a BYOVD intrusion against vulnerable Microsoft SharePoint servers. Warlock was also noted to have leveraged the PsExec, RDP Patcher, Velociraptor, Visual Studio Code, Cloudflare Tunnel, and Rclone tools in the attack.

"[O]rganizations must upgrade from basic endpoint protection to enforcing strict driver governance and real-time monitoring of kernel-level activities," said Trend Micro researchers.

An In-Depth Guide to Ransomware

Get essential knowledge and practical strategies to protect your organization from ransomware attacks.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

You can skip this ad in 5 seconds