// #byovd

2 articles

Cisco Talos and Trend Micro have documented that Qilin and Warlock ransomware operations are now using the Bring Your Own Vulnerable Driver (BYOVD) technique to systematically disable endpoint detection and response software before deploying ransomware payloads. The technique exploits a legitimate but outdated signed kernel driver to terminate over 300 EDR products from virtually every security vendor — including CrowdStrike, SentinelOne, Microsoft Defender for Endpoint, and Carbon Black.

Apr 6, 2026 #ransomware +7

🛡️ SecOps

Qilin Claims ASB Saarland Attack — 72 GB Stolen From German Humanitarian Organisation

Qilin ransomware claimed responsibility for a cyberattack against ASB Saarland, a German humanitarian and social services organisation, alleging theft of 72 GB of data including employee records, applicant data, health-related information, and client data. The attack continues Qilin's record-breaking March 2026 activity, during which the group claimed 131 victims — their highest monthly total — driven by wide deployment of BYOVD techniques to defeat endpoint detection.

Mar 27, 2026 #qilin +8

Commentary tagged #byovd

Opinion

BYOVD Is a Commodity Technique Now — Your EDR Vendor Knows

Qilin's Warlock toolkit, capable of disabling over 300 security tools using Bring Your Own Vulnerable Driver techniques, is not a nation-state capability — it is an affiliate-accessible ransomware tool. EDR is a necessary control. It is not a sufficient one, and the industry's marketing has outpaced what the technology can actually guarantee.

CipherWatch Editorial

Security Intelligence Platform

Apr 7, 2026

Qilin and Warlock Ransomware Deploy BYOVD Technique to Disable 300+ EDR Tools Before Encryption

Qilin Claims ASB Saarland Attack — 72 GB Stolen From German Humanitarian Organisation

Commentary tagged #byovd

BYOVD Is a Commodity Technique Now — Your EDR Vendor Knows