Windows Drivers Kill AV and EDR Before Ransomware
Windows Drivers Are Being Used to Kill AV and EDR Before Ransomware Deployment Attackers are increasingly abusing signed but vulnerable Windows drivers to disable antivirus and endpoint detection and response tools before launching ransomware. This technique is known as Bring Your Own Vulnerable Driver, or BYOVD. The tactic is dangerous because it turns legitimate driver trust into an attacker advantage. Windows drivers operate at a privileged level close to the kernel. If attackers can load a signed but vulnerable driver, they may gain the ability to terminate protected security processes, interfere with telemetry, disable endpoint defenses, and blind defenders before the final payload runs. Recent ransomware operations have shown how serious this has become. GentleKiller, Qilin, Warlock, Akira, and other threat groups have used vulnerable or abused Windows drivers to weaken endpoint security and prepare systems for encryption, data theft, or further compromise. For enterprises, this ...