Qilin and Warlock Ransomware Use Vulnerable Drivers to Disable 300+ EDR Tools

What happened

Threat actors linked to Qilin and Warlock ransomware are using vulnerable signed drivers to disable endpoint security tools on compromised systems. In the Qilin cases, researchers observed a malicious DLL named msimg32.dll launched through DLL side-loading, kicking off a multi-stage infection chain designed to evade detection and shut down endpoint detection and response protections. The loader suppresses Event Tracing for Windows, neutralizes user-mode hooks, and decrypts the main payload entirely in memory. Once active, the malware uses two drivers, rwdrv.sys and hlpdrv.sys, to access physical memory and terminate processes tied to more than 300 EDR drivers across security vendors. 

Who is affected

The direct exposure affects organizations hit by Qilin or Warlock ransomware, especially those relying on driver-based endpoint protections to stop post-compromise activity. The Warlock activity also involved attacks against unpatched Microsoft SharePoint servers and the use of vulnerable kernel drivers to terminate security products at a low level. 

Why CISOs should care

This matters because the attacks are built to disable security controls before ransomware execution, reducing the chance that defenders can detect or stop later-stage activity. The use of signed but vulnerable drivers also shows how attackers can turn legitimate kernel-level components into a practical path for defense evasion, persistence, and lateral movement inside already compromised environments. 

3 practical actions

1. Tighten driver governance: Only allow signed drivers from explicitly trusted publishers and review whether vulnerable but legitimate drivers can still be introduced into sensitive environments. 
2. Watch for pre-ransomware defense evasion: Hunt for suspicious DLL side-loading, ETW suppression, callback unregistration, and unexpected driver loading activity before encryption begins. 
3. Prioritize early detection after initial access: Move quickly on post-compromise signals because researchers found ransomware execution in Qilin cases occurred on average about six days after the initial breach. 

For more news about ransomware operators and their evolving tradecraft, click Ransomware to read more.