← CIO Briefings · High Impact ACTION REQUIRED

Ransomware Groups Now Routinely Disabling Security Software Before Attacking — EDR No Longer a Reliable Last Line of Defence

Qilin and Warlock ransomware operations have incorporated a technique that systematically disables endpoint security software across an entire organisation before deploying the ransomware payload. The technique exploits a trusted but vulnerable kernel driver to terminate over 300 security products at the operating system level — including the market's leading EDR solutions. Organisations whose ransomware defence relies primarily on endpoint security tools face significantly elevated risk.

4 min read
#NIS2#ISO-27001#DORA

What Happened

Cybersecurity researchers at Cisco Talos and Trend Micro have documented that Qilin — one of the world’s most active ransomware groups, responsible for 131 confirmed attacks in March 2026 alone — is now routinely deploying a technique that disables endpoint security software across an entire enterprise before encrypting data.

The technique, known as “Bring Your Own Vulnerable Driver” (BYOVD), works by installing a legitimate but outdated security tool driver (one signed by a trusted manufacturer, so the operating system loads it without objection) and then using that driver’s known vulnerabilities to operate at the kernel level — below the protection layer of endpoint security software. From that position, the attacker can systematically shut down every security process on every machine in the organisation.

The practical consequence: in a confirmed January 2026 Qilin intrusion, the group used this capability to simultaneously disable endpoint detection software across an entire organisation’s domain before deploying ransomware — giving defenders no opportunity for endpoint-based detection or response.

Business Impact

Endpoint security is no longer a reliable last line of defence against ransomware. The fundamental assumption underlying most enterprise ransomware defence strategies — that EDR software running on endpoints will detect and block ransomware deployment — is undermined when attackers can disable that software before the attack runs.

The technique is now mainstream. BYOVD was previously associated with sophisticated nation-state hacking groups. Qilin and Warlock are financially-motivated criminal enterprises operating at scale. The commoditisation of this technique means any organisation targeted by these groups faces the same capability.

Board-level exposure assessment needs updating. Any risk assessment or cyber insurance questionnaire that lists “EDR deployed on endpoints” as a primary ransomware control should be revisited. The mitigation value of that control has been materially reduced by this development.

Qilin’s scale amplifies the risk. With 131 victims in a single month and a cumulative count approaching 1,800, Qilin is not a targeted, high-skill attacker. It is a volume operation that has incorporated sophisticated techniques into its standard toolkit.

Regulatory Implications

NIS2: Article 21 requires “appropriate and proportionate technical measures” to manage cybersecurity risks. A security architecture where a single technique can simultaneously disable all endpoint protection is arguably not proportionate to the current threat environment. Operators should review defence-in-depth architecture against this development.

DORA: Resilience requirements for financial entities include ICT business continuity and the ability to detect and respond to incidents. An attack that disables detection capabilities before executing requires review of whether current detection architecture satisfies DORA’s resilience requirements.

ISO 27001: The standard requires organisations to select controls appropriate to identified risks. The risk that attackers can disable EDR tools before ransomware deployment is now a documented, operationalised threat — the control selection process should reflect this.

Board-Ready Summary

  • Ransomware attackers are now capable of disabling the security software that organisations rely on to detect and stop attacks, before they begin encrypting files.
  • This technique is being used at volume by Qilin, the most prolific ransomware group currently operating, meaning it is not a targeted, rare risk — it is a standard capability used against organisations of all sizes.
  • Boards should ask security leadership to confirm that the organisation’s ransomware defences extend beyond endpoint security tools to include network-level detection, immutable backups, and privileged access controls that limit attackers’ ability to reach the infrastructure needed to deploy this technique.

  1. Assess your ransomware defence architecture beyond EDR. Determine whether your incident detection capability extends to network-layer monitoring that does not rely on endpoint agents. If your entire detection capability is endpoint-dependent, you have a single point of failure.

  2. Implement or verify Windows Defender Application Control (WDAC) driver signing policies. WDAC can block the loading of known-vulnerable drivers at the kernel level, preventing the initial driver installation that enables this technique.

  3. Verify immutable backup architecture. Backups that can be reached and deleted by an attacker with domain administrator credentials provide no protection. Confirm that backup copies exist in an isolated environment (object storage with object lock, offline tape, or physically separate infrastructure).

  4. Restrict driver installation to administrative accounts with privileged access management. BYOVD requires administrative rights to install a kernel driver. Enforcing that administrative operations require PAM/jump-host access with full audit logging limits the attacker’s ability to stage the technique after initial credential theft.

  5. Brief your insurer and review policy terms. The widespread deployment of EDR-bypass techniques may affect how cyber insurers assess the adequacy of endpoint-centric security controls. Proactively engaging with your insurer about your defence-in-depth architecture is preferable to discovering policy interpretation issues after a claim.