Ransomware Groups Qilin and Warlock Use BYOVD Technique to Disable EDR Tools

The ransomware groups Qilin and Warlock are using the BYOVD (Bring Your Own Vulnerable Driver) technique to disable over 300 EDR (Endpoint Detection and Response) tools by targeting the Windows kernel. Qilin employs a multi-stage attack chain involving DLL sideloading and an in-memory "EDR killer" component. Warlock combines BYOVD with exploitation of unpatched Microsoft SharePoint Server vulnerabilities. The attacks aim to neutralize security defenses at the kernel level, though no specific CVEs or exact dates were mentioned. The impact includes rendering EDR solutions inoperable, increasing the success rate of ransomware deployments.