.webp)
Your Antivirus Passed Every Test. The Ransomware Still Got Through.
In early April 2026, Cisco Talos published research showing that the Qilin ransomware group had developed a technique capable of disabling more than 300 endpoint detection and response (EDR) products. Not exploiting them. Not evading them. Flat-out turning them off.
The technique is called BYOVD, short for Bring Your Own Vulnerable Driver, and it represents one of the most significant shifts in ransomware tactics we have seen in years. If your business relies on antivirus or endpoint protection as its primary line of defense, you need to understand what this means and what to do about it.
What Is a BYOVD Attack?
To understand BYOVD, you need a quick primer on how Windows handles security at the kernel level.
Windows uses kernel-mode drivers to interact with hardware and perform low-level system operations. Security products like CrowdStrike, SentinelOne, Microsoft Defender, Sophos, and others install their own kernel drivers so they can monitor system activity, detect malicious behavior, and block threats in real time.
Here is the problem: Windows also allows other legitimate, digitally signed drivers to run at the kernel level. Some of those drivers, particularly older ones from hardware vendors, contain known vulnerabilities. They were signed by Microsoft or a trusted certificate authority, so Windows trusts them. But they have flaws that give anyone who loads them direct access to kernel memory.
In a BYOVD attack, the hacker brings one of these vulnerable drivers along with their malware. They install it on the target system (Windows accepts it because it is legitimately signed), then exploit the vulnerability in that driver to gain kernel-level access. From there, they can reach into memory and shut down every security product running on the machine.
Your EDR does not crash. It does not throw an error. It just stops working. Silently.
How Qilin Pulls It Off: A Four-Stage Kill Chain
The Cisco Talos research details a sophisticated four-stage attack chain that Qilin affiliates are using in the wild right now.
Stage 1: Getting In
Qilin affiliates gain initial access through the usual channels: phishing emails, stolen credentials, or exploiting internet-facing services. Nothing new here. The creativity comes after they get a foothold.
Stage 2: DLL Side-Loading
The attackers drop a copy of FoxitPDFReader.exe (a legitimate PDF application) alongside a malicious file named msimg32.dll. When Foxit launches, Windows automatically loads the rogue DLL due to standard DLL search order behavior. The malicious DLL forwards all legitimate API calls to the real msimg32.dll in System32, so the application works normally. Nothing looks wrong to anyone watching.
This loader then decrypts and executes a multi-stage payload entirely in memory. No new files hit the disk. Each stage adds more anti-analysis protections: it suppresses Event Tracing for Windows (ETW) so security tools cannot record events, bypasses syscall hooks, and implements control flow obfuscation to frustrate debugging.
Stage 3: The EDR Kill
The in-memory payload drops two kernel drivers. The first is a renamed, legitimately signed copy of a driver from TechPowerUp called ThrottleStop.sys. This driver was designed for CPU throttling but contains a flaw that provides direct read/write access to physical memory and kernel structures.
The second driver uses that access to do the actual damage. Before terminating any security processes, the malware first unregisters all EDR monitoring callbacks. This is the critical step. EDR products set up callback functions that get triggered when certain system events happen. By removing those callbacks first, the malware ensures that when it kills the EDR processes, no alerts fire. No logs get written. No notification reaches your security team.
Then it terminates the processes. Over 300 EDR products are on the kill list, covering virtually every vendor in the market.
Stage 4: Ransomware Deployment
With all security products blind and deaf, Qilin deploys its ransomware payload. Files get encrypted. The double-extortion clock starts ticking.
It Is Not Just Qilin
What makes this particularly concerning is that Qilin is not the only group using BYOVD. The Hacker News reported that Warlock (also tracked as Water Manaul by Trend Micro) independently developed similar capabilities. Warlock enters through unpatched Microsoft SharePoint servers, installs its own BYOVD driver called NSecKrnl.sys, and then pushes ransomware across entire domains using Active Directory Group Policy.
Warlock operators have been observed spending up to 15 days inside victim networks before pulling the trigger. They use that time to exfiltrate data, set up multiple backdoors (including TightVNC for remote GUI access and Cloudflare Tunnels for covert communication), and position ransomware payloads in SYSVOL and NETLOGON shares so every domain-joined computer gets encrypted at the next reboot.
The fact that multiple unrelated ransomware groups are independently adopting BYOVD tells us this is not a niche technique anymore. The tooling has been commoditized. What used to be a nation-state capability is now available to financially motivated criminals running ransomware-as-a-service operations.
Why Traditional Endpoint Protection Is Not Enough
This is where things get uncomfortable for a lot of businesses.
Many small and mid-sized companies have invested in EDR or next-gen antivirus and consider their endpoint security problem solved. That was a reasonable position two or three years ago. It is not anymore.
EDR is still essential. You absolutely need it. But a BYOVD attack demonstrates that any single security layer can be defeated. If your entire security strategy is "we have CrowdStrike" or "we run SentinelOne," you have a single point of failure. And ransomware groups have now built industrialized tooling specifically designed to exploit that single point of failure.
Think of it this way: a deadbolt on your front door is important. But if someone figures out how to silently remove deadbolts, you also want a security camera, motion sensors, and an alarm system that calls the police. Layered security is not a marketing buzzword. It is an engineering principle, and BYOVD is the proof.
What Your Business Should Do About It
The good news is that BYOVD attacks are not unstoppable. They exploit a specific weakness in how Windows handles signed drivers, and there are concrete steps you can take to reduce your exposure.
1. Enable Microsoft Vulnerable Driver Blocklist
Windows includes a built-in feature called the Microsoft Vulnerable Driver Blocklist. When enabled alongside Hypervisor-Protected Code Integrity (HVCI), also known as Memory Integrity, Windows will refuse to load drivers that Microsoft has identified as vulnerable.
This does not catch every vulnerable driver out there. Microsoft updates the list periodically, and new vulnerable drivers get discovered regularly. But it raises the bar significantly. To enable it:
- Open Windows Security
- Go to Device Security, then Core Isolation
- Turn on Memory Integrity
- Verify that Microsoft Vulnerable Driver Blocklist is enabled
This requires Windows 11 22H2 or later, and some older hardware or drivers may not be compatible. Test in a pilot group before rolling out company-wide.
2. Implement Application Control Policies
Windows Defender Application Control (WDAC) or AppLocker can restrict which drivers and executables are allowed to run. A well-configured application control policy can prevent the malicious DLL from loading and block unsigned or unapproved drivers from being installed.
This takes effort to set up properly. You need to inventory your legitimate software and drivers, create baseline policies, and test thoroughly. But it is one of the most effective controls against BYOVD and many other attack techniques.
3. Monitor for Driver Installation Events
Your security operations center (SOC) or monitoring solution should alert on new kernel driver installations. In most business environments, new drivers do not get installed frequently. A driver showing up on a workstation or server outside of a scheduled maintenance window should trigger an investigation.
Look for Windows Event ID 7045 (new service installed) and Event ID 4697 (service installed in the system). Cross-reference any new driver installations against known-good baselines.
4. Reduce Your Attack Surface
BYOVD only works after an attacker is already inside your network. Every control that makes initial access harder is a control that prevents BYOVD from being used:
- Patch internet-facing systems promptly, especially VPNs, remote access tools, and web applications
- Enforce multi-factor authentication (MFA) on all remote access and privileged accounts
- Conduct regular security awareness training focused on phishing and credential theft
- Limit administrative privileges to only those who genuinely need them
- Segment your network so a compromise in one area does not give access to everything
5. Add Network-Level Detection
Since BYOVD can blind your endpoint security, having detection capabilities that operate outside the endpoint becomes critical. Network monitoring can catch lateral movement, data exfiltration, and command-and-control traffic that endpoint tools might miss if they have been tampered with.
Network Detection and Response (NDR) solutions analyze traffic patterns and can identify suspicious behavior even when endpoint agents are compromised. DNS monitoring is another layer that can flag communication with known malicious infrastructure.
6. Test Your Backup and Recovery Plan
If ransomware does get through, your backup and disaster recovery plan is your last line of defense. Make sure:
- Backups are stored offline or in immutable storage that ransomware cannot encrypt
- You test restores regularly, not just backup jobs
- Your recovery time objective (RTO) is realistic and documented
- Critical systems are backed up at least daily
The Bigger Picture: Why This Matters Beyond the Technical Details
BYOVD is not just a technical curiosity. It represents a fundamental change in how ransomware groups operate. They are now investing in kernel-level R&D, building sophisticated multi-stage toolchains, and sharing that tooling across affiliate networks.
The gap between nation-state capability and criminal capability continues to narrow. The Qilin EDR killer uses techniques (indirect syscalls, ETW suppression, callback unregistration) that would have been considered advanced persistent threat (APT) tradecraft just a few years ago. Now it is available to anyone willing to pay for a ransomware-as-a-service subscription.
For businesses, the takeaway is straightforward: single-layer security strategies carry more risk than they used to. The organizations that weather this shift will be the ones that invested in defense-in-depth before they needed it.
FAQ
Can BYOVD attacks affect Mac or Linux systems?
BYOVD is primarily a Windows attack technique because it exploits the way Windows handles signed kernel drivers. macOS and Linux have different driver models. That said, both platforms have their own kernel-level attack surfaces. The principle of layered security applies regardless of your operating system.
Does updating Windows protect against BYOVD?
Keeping Windows updated helps because Microsoft periodically adds newly discovered vulnerable drivers to its blocklist. However, updates alone are not sufficient. BYOVD attacks can use any legitimately signed driver with a vulnerability, and new ones are discovered regularly. You need the Vulnerable Driver Blocklist enabled, HVCI turned on, and ideally application control policies in place.
Our IT provider says our EDR is the best on the market. Are we still at risk?
Yes. The Qilin kill list includes products from virtually every major EDR vendor. The quality of your EDR product matters, but BYOVD attacks operate at the kernel level, below where EDR products can defend themselves. EDR is still a critical layer, but it should not be your only layer.
How do I know if a BYOVD attack has happened on our network?
Because BYOVD disables monitoring before acting, it is difficult to detect from the endpoint alone. Signs to look for include EDR agents that have stopped reporting, unexpected kernel driver installations in event logs, and anomalous network traffic detected by network-level monitoring. A regular vulnerability assessment can also identify systems running with HVCI disabled or missing the driver blocklist.
Is this something small businesses need to worry about, or just enterprises?
Small and mid-sized businesses are actually more likely to be targeted by ransomware groups because they tend to have fewer security layers. Qilin operates as a ransomware-as-a-service platform, meaning affiliates choose targets based on perceived ease of attack and likelihood of payment. A 50-person company with a single EDR product and no SOC is an attractive target.
If you want help evaluating your current security posture or implementing any of the protections described here, reach out to our team. We are happy to walk through what makes sense for your specific environment.
