Recent investigations by Cisco Talos and Trend Micro have uncovered that Qilin and Warlock ransomware operations are employing the 'bring your own vulnerable driver' (BYOVD) technique to evade detection and disable more than 300 endpoint detection and response (EDR) tools. Specifically, Qilin ransomware has been noted to deploy a malicious DLL file, 'msimg32.dll,' to manipulate security measures on compromised systems. This tactic underscores a significant shift in the methods used by threat actors, allowing them to effectively circumvent traditional security measures.
For businesses, this development highlights the crucial need for enhanced security strategies that address the vulnerabilities of driver software. Organizations should prioritize regular updates and patches for drivers, along with implementing comprehensive monitoring solutions that can detect suspicious activities at the kernel level. This situation not only raises alarms about the evolving tactics in ransomware attacks but also emphasizes the importance of proactive cybersecurity measures. As ransomware continues to evolve, the integration of robust AI-driven security solutions will be vital in identifying anomalies and preventing exploitation of such vulnerabilities, thereby safeguarding sensitive data and maintaining operational integrity.
---
*Originally reported by [The Hacker News](https://thehackernews.com/2026/04/qilin-and-warlock-ransomware-use.html)*