Qilin’s Warlock pre-ransomware toolkit was documented this week as capable of disabling more than 300 endpoint security products, including enterprise EDR platforms from multiple major vendors. The technique it uses — Bring Your Own Vulnerable Driver, or BYOVD — exploits the fact that Windows kernel driver signing requirements can be satisfied by loading a legitimate, signed driver that contains a known vulnerability, then exploiting that vulnerability to gain kernel-level access sufficient to terminate security processes.
BYOVD is not a new technique. It has been documented in nation-state malware since at least 2016 and has appeared in ransomware tooling since 2022. The lolDrivers project, a public database of vulnerable drivers that have been abused in the wild, currently lists over 300 entries. The technique is well understood, the tooling is increasingly available, and its presence in an affiliate-distributed ransomware toolkit confirms what security researchers have been saying for two years: BYOVD has moved from sophisticated threat actor capability to commodity criminal tool.
The question this raises is not “why did Qilin develop this?” — the answer is obvious, it works — but rather “what does this mean for organisations that have built their endpoint security posture primarily around EDR?”
What EDR Actually Guarantees
Endpoint Detection and Response platforms have been one of the genuine success stories of enterprise security over the past decade. The shift from signature-based antivirus to behavioural detection has substantially raised the cost of commodity malware attacks. EDR telemetry has transformed incident response from forensic reconstruction to real-time visibility. The platforms are genuinely valuable and their widespread adoption has meaningfully improved enterprise security.
What EDR cannot guarantee is protection against an attack that successfully terminates it before it can act.
This is not a subtle limitation buried in a vendor data sheet. It is a structural property of software-based security controls running on a general-purpose operating system. A process with sufficient privilege can terminate another process. The kernel controls everything. If an attacker achieves kernel-level access — which BYOVD provides — the attacker can make decisions about which software continues to run. Security software is not exempt from this.
EDR vendors have implemented protections against tamper — Windows ELAM (Early Launch Anti-Malware), protected process light mode, and kernel callbacks that alert on suspicious driver loads. These are genuine defensive measures that raise the bar for tampering. Qilin’s Warlock has been documented as capable of bypassing them in multiple configurations. The arms race between offensive and defensive kernel-level capabilities is ongoing, and the offensive side currently has the advantage of exploiting a large, stable, public database of vulnerable legitimate drivers.
The Marketing Gap
The security industry has a marketing problem with EDR that has direct consequences for how organisations understand their exposure.
EDR platforms are sold, in many cases, with language that implies comprehensive protection: “stop breaches,” “prevent ransomware,” “protect every endpoint.” This language is not technically dishonest — EDR does prevent a large proportion of commodity attacks. But it creates a mental model in which EDR is a terminal defence, a control that, if deployed correctly, prevents a successful compromise.
That mental model is wrong, and the industry knows it. Every EDR vendor’s threat research team publishes documentation of techniques that bypass their product. Every red team engagement report at a mature organisation includes EDR evasion as a standard phase. Security architects who work with EDR vendors directly understand that the product is a detection and response capability, not a prevention guarantee.
The problem is that this understanding does not consistently reach the people making security investment and governance decisions. CISOs who have spent significant budget on an enterprise EDR deployment may have communicated to their board that endpoint security has been addressed. When Warlock disables that EDR before deploying ransomware, the technical reality arrives before the conceptual revision.
What the Response Should Be
BYOVD’s effectiveness against EDR does not mean EDR should be deprioritised. It means that EDR should be understood as one layer in a control stack, not the stack itself.
Microsoft’s Vulnerable Driver Blocklist — available through Windows Defender Application Control and updated regularly — blocks known vulnerable drivers from loading. Enabling and maintaining this blocklist directly addresses BYOVD attacks that rely on drivers in the known-bad list. It does not address drivers that have not yet been catalogued, but it substantially reduces the available toolkit for commodity BYOVD attacks.
Kernel control flow integrity and driver signing enforcement have been progressively strengthened in modern Windows versions. Organisations running Windows 11 on compatible hardware have access to hardware-enforced stack protection and Memory Integrity (HVCI) that makes kernel exploitation substantially harder. Organisations that have not assessed their HVCI deployment posture should do so.
Network-level controls remain effective when EDR is disabled. An EDR that has been terminated cannot detect process behaviour or file system changes. It can still be feeding network telemetry to a SIEM if network monitoring is implemented as a separate, independent layer. Segmentation that prevents lateral movement from a compromised endpoint to domain controllers, backup infrastructure, and administrative systems remains effective regardless of EDR status.
Immutable backup infrastructure is the control that most directly changes the economics of ransomware, including ransomware that successfully disables EDR. If recovery without paying is genuinely possible — because backups are stored offline, tested regularly, and recoverable within a timeframe the organisation can tolerate — the ransomware operator’s leverage is substantially reduced.
The Honest Conversation
The honest conversation about EDR is that it is a necessary, valuable, imperfect control that is more effective against commodity attacks than against sophisticated ones, and that its effectiveness against even commodity attacks is being steadily reduced as techniques like BYOVD enter the criminal mainstream.
That conversation should be happening in board reporting, in security architecture reviews, and in investment decisions. Organisations that have treated EDR deployment as a destination rather than a component of a broader control strategy are discovering, through incidents like Qilin’s campaigns, that the destination was not where they thought it was.
Share this article