216.73.217.176

Qilin Ransomware and the Hidden Dangers of BYOVD

· Published 31/07/2025 13:13 · Modified 31/07/2025 15:22

Export JSON

Essential information

Published
31/07/2025 13:13
Modified
31/07/2025 15:22
Tags
2025-07-31 byovd qilin raas ransomware
Related entities
7 observables, 1 intrusion sets (apt), 6 techniques (mitre), 1 malware, 2 others

Description

This analysis examines a recent incident involving , highlighting the evolving tactics of cybercriminals to evade Endpoint Detection and Response (EDR) systems. The attackers utilized a previously unknown driver, TPwSav.sys, to disable EDR measures through a technique known as bring-your-own-vulnerable-driver (). The report details the entire attack chain, from initial compromise using stolen credentials to the final attempt at deploying . It emphasizes how rapid isolation of impacted systems and a layered security approach thwarted the attackers. The analysis also provides background on , its operation as a -as-a-service (), and its targeting patterns. The technical breakdown includes an examination of the EDR bypass technique and the customized version of the EDRSandblast tool used in the attack.

External references