Two active ransomware groups have refined a kernel-level evasion technique (BYOVD - Bring Your Own Vulnerable Driver) that systematically disables over 300 endpoint security products before a single file is encrypted. By the time ransomware executes, the security stack is already dark.
What's BYOVD?
A sophisticated technique where attackers introduce a legitimate-but-flawed Windows driver, one that Microsoft still trusts, as a master key to get deep inside your system and shut off security tools before attacking.
Background
Bring Your Own Vulnerable Driver (BYOVD) isn't new but the scale and precision with which Qilin and Warlock have industrialized it is. Research from Cisco Talos and Trend Micro published in early April 2026 confirms both adversarial groups are deploying this technique as a standard pre-encryption step, not an occasional edge case.
The core idea: Windows must trust any driver with a valid digital signature. Attackers exploit this by loading a legitimate but vulnerable signed driver into the kernel–one not yet blocklisted by Microsoft. This grants adversaries Ring 0 privileges allowing them to forcibly terminate any process, including bypassing security tools employed to protect endpoint environments.
The Attack Chain
Qilin / Warlock, BYOVD execution sequence
01 | DLL sideloading Malicious msimg32.dll is dropped and sideloaded via a legitimate host process. No UAC prompt, no suspicious parent. | INITIAL ACCESS |
02 | Vulnerable driver load A legitimately signed but exploitable kernel driver is written to disk and loaded via NtLoadDriver. OS loads it without complaint. | KERNEL ACCESS |
03 | Ring-0 privilege escalation With kernel-mode code execution, an attacker can read/write arbitrary kernel memory, bypass PPL, and interact directly with EPROCESS structures. | PRIVILEGE ESCALATION |
04 | EDR / AV termination Security processes are enumerated and forcibly terminated. Kernel callbacks registered by AV/EDR products are unhooked. Over 300 security products targeted based on a hardcoded, actively maintained list. | DEFENSE KILL |
05 | Payload execution Ransomware binary executes in a fully blind environment. VSS copies deleted. Ransom note dropped. | ENCRYPTION |
Why This Works
Windows driver signing requirements exist to prevent unauthorized kernel code. BYOVD abuses the fact that the signature is verified, not the vulnerability surface of the driver. Microsoft maintains a blocklist of known-vulnerable drivers (DriverSiPolicy.p7b), but this list is often months behind active exploitation. Attackers source vulnerable drivers that are signed but not yet blocklisted.
Kernel callbacks are the primary mechanism through which EDR products observe process creation, image loads, and thread injection. Once an attacker can write to kernel memory, those callbacks can be zeroed out. The EDR is still running, but no longer receiving events–blinding it. From a visibility standpoint, it's indistinguishable from a quiet system.
Qilin's tooling specifically targets PPL-protected processes. EDR vendors use PPL to prevent their processes from being killed by userland attackers. Kernel-level access bypasses this entirely, with PPL offering no protection once Ring 0 privileges are compromised.
What Makes Qilin and Warlock Different
Earlier BYOVD campaigns (such as those using mhyprot2.sys) were opportunistic. A single vulnerable driver was used until blocklisted, then abandoned. Qilin and Warlock bypass this by maintaining and rotating through a curated list of viable drivers, tracking blocklist updates and pivoting to unblocklisted alternatives. This operationally-maintained driver pool makes the technique resilient against blocklist-only defenses.
Additionally, Warlock has been observed combining BYOVD with credential harvesting before encryption, a two-phase intrusion where data is exfiltrated for double extortion before the destructive payload runs.
MITRE ATT&CK Mapping
Initial Access |
| |||
Execution |
| |||
Privilege Escalation |
| |||
Defense Evasion |
| |||
Defense Evasion (cont.) |
| |||
Discovery |
| |||
Lateral Movement |
| |||
Exfiltration |
| |||
Impact |
|
Indicators of Compromise
FILENAME | msimg32.dll (malicious, sideloaded) |
TECHNIQUES | T1068 · T1562.001 · T1014 · T1553.002 |
DRIVER SOURCE | Legitimately signed, vulnerable, not yet blocklisted at time of campaign |
TARGETS | 300+ EDR/AV and security monitoring products (hardcoded list) |
Next Steps
BYOVD-based campaigns can affect any compute environment running Windows OS (such as endpoints, VMs, etc) and are designed to eliminate three things simultaneously: your ability to detect the attack, your ability to roll back from it, and your confidence that your recovery controls will function at all. Qilin and Warlock have demonstrated this is not just theoretical, but operational. To mitigate risk, businesses should ensure recovery plans across workloads–cloud-native, SaaS, on premises, and edge–account for a scenario where prevention has already failed.
Stay ransomware ready. To verify your organization's recovery readiness posture from the ground up, take our free Cyber Readiness Assessment.