What is BYOVD in ransomware?

BYOVD means attackers load their own vulnerable, signed drivers to gain kernel access and disable security tools like EDRs.

How do Qilin and Warlock disable over 300 EDRs?

They use loaders to evade detection, then drivers like rwdrv.sys and hlpdrv.sys to terminate EDR processes and callbacks at kernel level.

Yes — enforce driver whitelisting, monitor installs, patch drivers fast, and layer defenses beyond software EDR.

🦠 Ransomware & Malware

A sneaky DLL drops. Then, two rogue drivers rip through 300+ EDRs like tissue paper. Qilin and Warlock just redefined ransomware evasion.

Threat Digest Apr 07, 2026 3 min read

Qilin and Warlock use BYOVD to silently disable 300+ EDR tools via vulnerable drivers like ThrottleStop.sys. 𝕏
Attacks feature advanced evasion: ETW suppression, callback unregistering, and living-off-the-land tools. 𝕏
Shift to kernel-hardened defenses like enclaves needed; traditional EDRs vulnerable. 𝕏

Published by

Threat intelligence. Zero noise.

#BYOVD #BYOVD attacks #EDR bypass #Qilin ransomware #Warlock ransomware #vulnerable drivers

Get the best Cybersecurity stories of the week in your inbox — no noise, no spam.

Originally reported by The Hacker News