Cybersecurity researchers have uncovered new attack techniques used by the Qilin and Warlock ransomware groups, showing how they are bypassing modern security defenses by exploiting vulnerable system drivers. The attackers are leveraging a method known as “bring your own vulnerable driver” (BYOVD) to disable endpoint protection mechanisms before launching ransomware attacks.
In Qilin-related incidents, researchers observed the deployment of a malicious DLL file named “msimg32.dll,” which is executed through DLL side-loading to initiate a multi-stage infection process. This loader prepares the system for the main payload while evading detection by suppressing system logs, neutralizing monitoring hooks, and hiding execution patterns.
Once active, the malware uses compromised but legitimately signed drivers to gain deep system-level access. These drivers enable attackers to terminate processes linked to more than 300 endpoint detection and response (EDR) tools, effectively blinding security systems and allowing the ransomware to operate undetected.
The Qilin group is also known to rely on stolen credentials to gain initial access to targeted systems. After infiltration, attackers focus heavily on post-compromise activities, expanding control within the network before triggering ransomware. Notably, researchers found that ransomware execution is often delayed by nearly six days after the initial breach, increasing the overall impact of the attack.
Meanwhile, the Warlock ransomware group has been observed exploiting unpatched Microsoft SharePoint servers and adopting similar BYOVD techniques to disable security products at the kernel level. The group has also incorporated tools such as PsExec for lateral movement, Rclone for data exfiltration, and Cloudflare Tunnel for maintaining command-and-control communication.
Security experts warn that these tactics represent a significant evolution in ransomware operations, as attackers are now prioritizing the complete shutdown of defensive systems before deploying encryption payloads. This approach reduces the likelihood of early detection and increases the success rate of attacks.
To mitigate such threats, organizations are advised to strictly control driver installations, allow only trusted and signed drivers, and monitor unusual system-level activities. The findings highlight the growing sophistication of ransomware campaigns and the urgent need for stronger endpoint security and proactive threat detection strategies.
