Qilin Ransomware and the Hidden Dangers of BYOVD

SUMMARY :

This analysis examines a recent incident involving Qilin ransomware, highlighting the evolving tactics of cybercriminals to evade Endpoint Detection and Response (EDR) systems. The attackers utilized a previously unknown driver, TPwSav.sys, to disable EDR measures through a technique known as bring-your-own-vulnerable-driver (BYOVD). The report details the entire attack chain, from initial compromise using stolen credentials to the final attempt at deploying ransomware. It emphasizes how rapid isolation of impacted systems and a layered security approach thwarted the attackers. The analysis also provides background on Qilin ransomware, its operation as a ransomware-as-a-service (RaaS), and its targeting patterns. The technical breakdown includes an examination of the EDR bypass technique and the customized version of the EDRSandblast tool used in the attack.

OPENCTI LABELS :

ransomware,raas,byovd,qilin


Open in NetmanageIT OpenCTI Public Instance with below link!


Use public read only username and password on login page.

NOTE : Use Public READ only user credentials on login page banner.


Qilin Ransomware and the Hidden Dangers of BYOVD