BYOVD the technique that turns vulnerable drivers into the lever to silence defenses and conquer the kernel

Security researchers have identified a worrying pattern in the latest ransomware campaigns: actors such as those linked to Qilin and Warlock are using the technique known as bring your own vulnerable driver (BYOVD) to silence the defenses of the committed teams. The analysis of Cisco Talos and Trend Micro show that, far from rough attacks, these groups combine bookkeeping engineering, memory control and the use of legitimate but vulnerable controllers to achieve kernel privileges and disable protection solutions.

In the case attributed to Qilin, Talos detected the presence of a malicious DLL loaded via DLL side-loading under the name "msimg32.dll." That DLL acts as a first charger that prepares the environment for a second component - a "EDR killer" - that comes encrypted on the charger itself. The final execution is done in full memory thus avoiding leaving many of the classic artifacts that facilitate detection. The charger also neutralizes hooks in user space, suppresses Event Tracing for Windows (ETW) events and masks calls to APIs so that the decryption and loading process goes almost unnoticed.

Once the EDR destruction payload is ready, the attackers load two drivers: one known as rwdrv.sys (a version of ThrottleStop.sys) that serves to access physical memory and operate at the kernel level, and another called hlpdrv.sys whose purpose is to finish processes and disable more than 300 EDR controllers from many suppliers. This combination of techniques allows you to disable most of the host protection before running the ansomware. Talos has documented how, even before loading the second driver, the component intended to kill the EDRs nullifies monitoring callbacks to avoid interference during process terminations.

The same philosophy of using fault controllers has been seen in operations associated with Warlock (also known as Water Manaul), which also exploits unpatched Microsoft SharePoint servers and has been updating its tool kit for persistence, lateral movement and evasion. To maintain persistent access and establish control and control channels, operators have used legitimate utilities and solutions: TightVNC for persistent remote control, PsExec to move laterally, Velociraptor as C2 tool, Visual Studio Code and Cloudflare Tunnel for tuning communications, Yuze for intranet and proxy inverse penetration, and Rone for exfiltering data. On the driver front, Warlock changed to a vulnerable NSec driver ("NSecKrnl.sys") in his most recent campaigns, replacing other previously used drivers.

This approach is not new in theory, but its effectiveness lies in the combination of real-world factors: signed drivers containing exploitable vulnerabilities, the attacker's ability to load and rename legitimate binaries, and insufficient controls in the governance of drivers at the organizational level. BYOVD exploits the thin line between legitimate system functionality and the ability of attackers to operate with kernel privileges which makes detection and mitigation very difficult if there are no specific controls.

The metrics provided by firms such as CYFIRMA and Cynet show that Qilin has been particularly active, with a significant proportion of the incidents reported in certain territories being recorded. Talos also notes that, on average, Ransomware encryption occurs approximately six days after the initial divide, a window that attackers use to move calmly, raise privileges and prepare the destructive stage. This margin underlines the importance of detecting abnormal activity in the early stages of the commitment and of having controls that prevent the loading of potentially dangerous drivers.

What can an organization do to reduce this risk? First, impose strict driver policies: allow only drivers signed by explicitly reliable editors and audit any driver installation. In Windows environments it is appropriate to review and implement the recommendations on signature and kernel policies published by Microsoft, as well as to monitor events related to the installation and loading of drivers to identify suspicious attempts. Another line of defense is to tighten patch management: both the operating system and security solutions with kernel-level components must be kept up to date to prevent a legitimate driver with vulnerabilities from becoming an attack tool.

Beyond the hygiene of the software, it is essential to raise visibility over the kernel and activities in memory. Monitoring tools that record changes in the integrity of the kernel, the appearance of unauthorized drivers and the abnormal use of trace or telemetry-related APIs may detect signs of BYOVD before the attacker can neutralize the defenses. The attack surface should also be reduced by strict access controls on accounts with privileges and early detection mechanisms for side movements and exfiltration.

Response teams and administrators should consider that many of the tools mentioned by attackers are legitimate software used for malicious purposes. Therefore, the mere presence of utilities such as PsExec, TightVNC or Rclone alone does not mean a bad practice, but its unexpected use within a productive environment must trigger alerts and analysis. The combination of continuous monitoring, driver governance and a response procedure that includes the possibility of rapidly isolating hosts is the practical recipe to minimize impact.

The research and public recommendations of manufacturers and specialized agencies are available for further discussion on technical aspects and mitigation guides. Cisco Talos and Trend Micro have published analysis on these campaigns; in addition, Microsoft maintains technical documentation on Event Tracing for Windows and driver signature policies that are useful for designing appropriate controls. Additional resources such as the official pages of projects and tools (Velociraptor, Rclone, TightVNC) help to understand how attackers take advantage of legitimate profits in their attack chains.

The key lesson It is clear: attackers do not always need to develop complex exploits from scratch when they can bring with them a vulnerable driver that works as a lever. Protect the kernel and control which low-level software can be implemented in the infrastructure should be priorities in any modern defense strategy against ransomware. The combination of driver governance, memory detection and rapid response to abnormal activity is what, in practice, can close the window that groups like Qilin and Warlock are exploiting.

Useful sources to expand and implement these recommendations: Cisco Talos' technical blog ( blog.talosintelligence.com), the Trend Micro Research Centre ( trendmicro.com / research), Microsoft documentation on Event Tracing for Windows ( learn.microsoft.com - ETW) and on policy of signature of controllers ( learn). The Velociraptor page ( velodex.com / velocraptor), the Rclone project ( rclone.org) and the official download of PSExec in Sysinternals ( learn.microsoft.com - PsExec).