Qilin and Warlock (also known as “Water Manaul”) ransomware groups are using bring your own vulnerable driver (BYOVD) techniques to disable endpoint security tools on Windows systems. These actors can shut down more than 300 EDR drivers across multiple security vendors. Read this Cybersecurity Threat Advisory to reduce you and your clients’ risk.
What is the threat?
Qilin and Warlock use BYOVD techniques to gain kernel‑level control of Windows systems and disable security tools before launching ransomware attacks. Qilin deploys a malicious msimg32.dll file through a trusted process to execute an in‑memory “EDR killer,” reducing logging and hiding activity. This payload abuses vulnerable drivers such as rwdrv.sys (a renamed ThrottleStop.sys) and hlpdrv.sys to access system memory and disable more than 300 EDR products by stopping their processes, unloading drivers, and removing monitoring hooks and Event Tracing for Windows (ETW) visibility.
Qilin typically gains access using stolen credentials and spends roughly six days moving laterally and staging its attack before deploying ransomware. Warlock, by contrast, has been observed exploiting unpatched Microsoft SharePoint servers for initial access and using the vulnerable NSecKrnl.sys driver—replacing its older googleApiUtil64.sys—to disable security tools at the kernel level. Warlock also relies heavily on common administrative and open‑source tools, including TightVNC, PsExec, RDP Patcher, Velociraptor, Visual Studio Code with Cloudflare Tunnel and Yuze, and Rclone, to maintain access, move laterally, and exfiltrate data prior to encryption.
Why is it noteworthy?
These campaigns demonstrate that modern ransomware operators are no longer focused solely on encryption—they are deliberately targeting the kernel layer to blind defenders first. The ability to disable hundreds of EDR drivers across vendors undermines the assumption that endpoint protections will remain active during an attack. Qilin is among the more active ransomware groups today, while Warlock’s evolving toolset suggests BYOVD‑based EDR bypass is becoming a standard technique. As a result, driver and kernel integrity are now frontline security concerns, not optional hardening measures.
What is the exposure or risk?
Any organization running Windows systems with driver‑based security controls is at risk, as these attacks are designed to neutralize those protections. Because the abused drivers are valid and signed—just vulnerable—basic allow‑listing or “signed driver only” controls may not block them. Once EDR is disabled, attackers can move quietly through the environment, locate critical systems, and steal data with little or no detection.
Organizations with unpatched, internet‑facing systems—particularly Microsoft SharePoint—face elevated risk due to Warlock’s known exploitation patterns. The attackers’ use of legitimate administrative tools further allows activity to blend in with normal IT operations. Kernel‑level access also enables tampering with logs and system behavior, complicating detection, investigation, and recovery. For regulated or mission‑critical environments, this can result in prolonged outages, compliance exposure, and significant reputational damage.
What are the recommendations?
Barracuda strongly recommends taking the following actions to reduce exposure and secure environments:
- Tighten driver and kernel controls: Use driver allow‑listing (such as WDAC or Code Integrity), enable and maintain Microsoft’s vulnerable driver blocklist, and remove obsolete or unnecessary drivers—especially tuning and legacy security drivers.
- Monitor for BYOVD and EDR tampering: Alert on new driver installations or loads, suspicious .sys files (for example rwdrv.sys, ThrottleStop.sys, hlpdrv.sys, NSecKrnl.sys), and sudden EDR agent failures or loss of telemetry.
- Reduce initial access paths: Prioritize patching of internet‑facing services such as Microsoft SharePoint, enforce MFA and strong credential hygiene, and minimize standing administrative accounts.
- Limit dual‑use tools: Restrict or tightly control PsExec, TightVNC, RDP Patcher, Rclone, and similar utilities using least privilege, application control, and just‑in‑time access.
- Strengthen detection and response: Centralize endpoint, driver, and network logs in SIEM/XDR platforms, build detections for tunneling and unusual remote access patterns, and develop playbooks for suspected BYOVD or EDR‑disabling activity.
- Coordinate and test: Engage EDR and OS vendors on BYOVD protections and include EDR‑tampering scenarios in red‑team, purple‑team, or tabletop exercises to validate defenses and response readiness.
References
For more in-depth information about the recommendations, please visit the following links:
If you have any questions about this Cybersecurity Threat Advisory, don’t hesitate to get in touch with Barracuda Managed XDR’s Security Operations Center.
This post originally appeared on Smarter MSP.