Both theQilinand Warlock ransomware operations have been moving to deactivate endpoint detection and response solutions in targeted systems through the bring your own vulnerable driver technique,The Hacker Newsreports.Attacks by Qilin involved the delivery of an illicit DLL that triggers a multi-stage infection chain that terminates more than 300 EDR drivers, according to Cisco Talos researchers. Sophisticated EDR evasion tactics have been employed by the DLL loader, including Event Tracing for Windows event log and user-mode hook suppression, to allow the decryption of the primary EDR killer payload, which then exploits the rwdrv.sys and hlpdrv.sys drivers to infiltrate systems’ physical memory and terminate EDR driver processes, respectively.Another report from Trend Micro analysts showed that Warlock ransomware, also known as Water Manaul, tapped the TightVNC tool and NSec driver in a BYOVD intrusion against vulnerable Microsoft SharePoint servers. Warlock was also noted to have leveraged the PsExec, RDP Patcher, Velociraptor, Visual Studio Code, Cloudflare Tunnel, and Rclone tools in the attack.”[O]rganizations must upgrade from basic endpoint protection to enforcing strict driver governance and real-time monitoring of kernel-level activities,” said Trend Micro researchers.
Get essential knowledge and practical strategies to protect your organization from ransomware attacks.
