Qilin Ransomware and the Hidden Dangers of BYOVD
Essential information
- Published
- 31/07/2025 13:13
- Modified
- 31/07/2025 15:22
- Tags
- 2025-07-31 byovd qilin raas ransomware
- Related entities
- 7 observables, 1 intrusion sets (apt), 6 techniques (mitre), 1 malware, 2 others
Description
This analysis examines a recent incident involving Qilin ransomware, highlighting the evolving tactics of cybercriminals to evade Endpoint Detection and Response (EDR) systems. The attackers utilized a previously unknown driver, TPwSav.sys, to disable EDR measures through a technique known as bring-your-own-vulnerable-driver (BYOVD). The report details the entire attack chain, from initial compromise using stolen credentials to the final attempt at deploying ransomware. It emphasizes how rapid isolation of impacted systems and a layered security approach thwarted the attackers. The analysis also provides background on Qilin ransomware, its operation as a ransomware-as-a-service (RaaS), and its targeting patterns. The technical breakdown includes an examination of the EDR bypass technique and the customized version of the EDRSandblast tool used in the attack.