BYOVD Attacks Turn Trusted Windows Drivers Into Security Threats  Cybersecurity researchers are warning about a growing wave of attacks that exploit legitimate Windows drivers to bypass security protections and gain deep control over targeted systems.  The technique, known as Bring Your Own Vulnerable Driver or BYOVD, involves attackers loading digitally signed but flawed drivers onto a compromised machine. Once active, the vulnerable driver can be exploited to gain kernel level privileges, the highest level of access in the Windows operating system.  Researchers from Picus Security said the method allows threat actors to “load a legitimate, digitally signed, but vulnerable driver onto a target system” and then exploit weaknesses in that driver to gain arbitrary kernel mode execution.  With this level of access, attackers can disable endpoint security tools, manipulate operating system processes and carry out further malicious activity without interference.  How the attack works  BYOVD attacks do not provide the initial entry point into a system. Instead, attackers use the technique after gaining administrative access through other methods such as phishing campaigns, stolen credentials, exploitation of exposed services or purchasing access from an initial access broker.  Once administrative privileges are obtained, attackers introduce a vulnerable driver file into the system. The driver, typically a .sys file, is often placed in directories that allow easy writing access such as temporary Windows folders or public user directories.  Many of these drivers are taken directly from legitimate vendor software packages, including hardware utilities, monitoring tools or gaming applications. Because the drivers are officially signed and appear legitimate, they can pass Windows trust checks. Attackers then load the driver into the Windows kernel.  This is commonly done through the Windows Service Control Manager using commands such as sc.exe create and sc.exe start, or by calling system level APIs like NtLoadDriver.  Since the driver carries a valid digital signature, Windows allows it to run in kernel space without immediately triggering alerts.  Exploiting driver weaknesses  After the vulnerable driver is loaded, attackers exploit unsafe input and output control functions exposed by the driver. These functions can allow direct reading and writing of system memory.  By sending specially crafted requests, attackers can gain access to protected kernel memory regions. This effectively provides full control over the operating system’s most privileged layer.  With kernel read and write capabilities, attackers can disable security protections in several ways. They may remove endpoint detection and response callbacks from kernel structures, patch tamper protection routines in memory, terminate antivirus processes or manipulate system process objects to conceal malicious activity.  Even though security software may still appear installed, the endpoint may effectively be left unprotected.  Example of driver abuse  One attack analyzed by Picus researchers involved ransomware actors exploiting the mhyprot2.sys anti cheat driver used by the popular video game Genshin Impact.  In that case, attackers installed the legitimate driver and then used a separate executable to send a specific command instructing the driver to terminate antivirus processes. Because the driver operated with kernel level privileges, it successfully executed system level commands to kill security services.  Once defenses were disabled, ransomware encryption was deployed without resistance. Structural weaknesses in driver trust  The effectiveness of BYOVD attacks stems partly from how Windows manages driver trust. Since Windows 10, most new kernel drivers must be signed through Microsoft’s developer portal.  However, compatibility requirements allow certain older cross signed drivers to still load under specific conditions.  These conditions include systems where Secure Boot is disabled or devices that were upgraded from older Windows installations rather than freshly installed.  Such compatibility allowances create gaps that attackers can exploit by loading vulnerable legacy drivers that remain trusted by the system.  Microsoft also maintains a vulnerable driver blocklist, but this list is updated only after vulnerabilities are discovered and reported. Updates often coincide with major Windows releases, meaning newly identified vulnerable drivers may remain usable for extended periods.  As a result, BYOVD attacks do not technically bypass Windows security mechanisms. Instead, they take advantage of drivers that the operating system still considers trustworthy.  Defending against BYOVD  Security experts say defending against this technique requires layered protections rather than a single configuration change.  Organizations are advised to enable hypervisor protected code integrity and the broader virtualization based security framework to prevent unauthorized kernel memory changes.  Controls such as Windows Defender Application Control and Microsoft’s vulnerable driver blocklist can restrict which drivers are allowed to run. Limiting administrative privileges is another critical step.  Companies should remove unnecessary local administrator rights, enforce least privilege policies and require multi factor authentication for privileged accounts. Monitoring for suspicious activity is also essential.  Security teams should watch for unusual driver loading events or new kernel service creation logs. Maintaining Secure Boot and restricting driver installation through group policy can further reduce the risk of unauthorized or legacy drivers being loaded.  Regular auditing of third party drivers installed on systems can help reduce the overall kernel attack surface.  Security analysts say BYOVD reflects a broader change in attacker strategy. Instead of relying only on new vulnerabilities or zero day exploits, threat actors increasingly use trusted components that already exist within systems. 

BYOVD Attacks Turn Trusted Windows Drivers Into Security Threats #BYOVDAttack #cyberattack #CyberAttacks

New Ransomware Uses Trusted Drivers to Disable Security Defenses   Security monitoring teams are tracking a new ransomware strain called Reynolds that merges system sabotage and file encryption into a single delivery package. Instead of relying on separate utilities to weaken defenses, the malware installs a flawed system driver as part of the infection process, allowing it to disable protective software before encrypting data. The method used is known in security research as Bring Your Own Vulnerable Driver, or BYOVD. This approach abuses legitimate drivers that contain known weaknesses. Because operating systems recognize these drivers as trusted components, attackers can exploit them to gain deep system access and stop endpoint protection tools with reduced risk of detection. This tactic has been repeatedly observed across multiple ransomware operations in recent years. In the Reynolds incidents, the malware deploys the NSecKrnl driver produced by NsecSoft. This driver contains a publicly documented vulnerability tracked as CVE-2025-68947, rated 5.7 in severity. The flaw allows any running process to be forcibly terminated, which attackers use to shut down security platforms including Avast, CrowdStrike Falcon, Palo Alto Networks Cortex XDR, Sophos with HitmanPro.Alert, and Symantec Endpoint Protection. The same driver has previously been abused by a threat actor known as Silver Fox in campaigns that disabled security tools before deploying ValleyRAT. Silver Fox has also relied on other vulnerable drivers, such as truesight.sys and amsdk.sys, during similar operations. Security analysts note that integrating defense suppression into ransomware itself is not unprecedented. A comparable approach appeared during a Ryuk ransomware incident in 2020 and later in activity linked to the Obscura ransomware family in August 2025. Folding multiple attack stages into a single payload reduces operational complexity for attackers and decreases the number of separate files defenders might detect. Investigations into recent intrusions uncovered signs of long-term preparation. A suspicious loader that used side-loading techniques was found on victim networks several weeks before encryption occurred. Following deployment of the ransomware, a remote access program known as GotoHTTP was installed within one day, indicating an effort to preserve long-term control over compromised systems. Parallel ransomware campaigns reveal additional shifts in attacker behavior. Large phishing operations are circulating shortcut file attachments that trigger PowerShell scripts, leading to the installation of Phorpiex malware, which then delivers GLOBAL GROUP ransomware. This ransomware conducts all operations locally and does not transmit stolen data, allowing it to function in networks without internet access. Other campaigns tied to WantToCry have exploited virtual machines provisioned through ISPsystem, a legitimate infrastructure management service, to distribute malware at scale. Some of the same hosting infrastructure has been linked to LockBit, Qilin, Conti, BlackCat, and Ursnif, as well as malware families including NetSupport RAT, PureRAT, Lampion, Lumma Stealer, and RedLine Stealer. Researchers assess that bulletproof hosting providers are renting ISPsystem virtual machines to criminal actors by abusing a design flaw in VMmanager’s default Windows templates. Because these templates reuse identical hostnames and system identifiers, thousands of virtual machines can be created with the same fingerprint, making takedown efforts more difficult. Ransomware groups are also expanding their business models. DragonForce now provides affiliates with a “Company Data Audit” service, which includes risk assessments, pre-written call scripts, executive-level letters, and negotiation guidance. The group operates as a cartel that allows affiliates to launch their own brands while sharing infrastructure and services. Technical changes are shaping newer ransomware versions. LockBit 5.0 has replaced AES encryption with ChaCha20 and now targets Windows, Linux, and ESXi environments. The latest version includes file wiping capabilities, delayed execution, encryption progress tracking, improved evasion techniques, stronger in-memory operation, and reduced disk footprints. The Interlock group continues to target organizations in the United Kingdom and United States, particularly in education. One attack exploited a zero-day vulnerability in the GameDriverx64.sys anti-cheat driver, tracked as CVE-2025-61155 with a 5.5 severity score, to disable security tools using BYOVD methods. The same campaign deployed NodeSnake, also known as Interlock RAT or CORNFLAKE, with MintLoader identified as the initial access point. Targeting strategies are also shifting toward cloud storage. Poorly configured Amazon Web Services S3 buckets are being abused through native platform functions to erase data, restrict access, overwrite files, or quietly extract sensitive information while remaining difficult to detect. Industry tracking from Cyble indicates that GLOBAL GROUP is among several ransomware crews that appeared in 2025, alongside Devman, DireWolf, NOVA, J group, Warlock, BEAST, Sinobi, NightSpire, and The Gentlemen. ReliaQuest reported that Sinobi’s data leak activity increased by 306 percent in the final quarter of 2025, ranking it third behind Qilin and Akira. LockBit’s resurgence included 110 victim listings in December alone. Researchers estimate that ransomware actors claimed 4,737 attacks in 2025, compared with 4,701 in 2024. Incidents centered only on data theft rose to 6,182, reflecting a 23 percent increase. Coveware reported that average ransom demands reached $591,988 in late 2025, driven by a small number of exceptionally large settlements, and warned that attackers may shift back toward encryption-based extortion to increase pressure on victims.

New Ransomware Uses Trusted Drivers to Disable Security Defenses #BYOVDAttack #cloudstorage #CyberAttacks

Attackers Exploit Revoked EnCase Driver to Disable Endpoint Security Using New EDR Killer Malware   Threat actors are increasingly deploying a new strain of EDR killer malware capable of disabling 59 popular endpoint protection products. According to Huntress researchers, the malware abuses a Windows kernel driver that was once legitimately distributed with Guidance Software’s EnCase digital forensics tool. Although the driver is genuine, its signing certificate expired and was revoked over a decade ago. Despite this, Windows systems still permit the driver to load, making it an attractive target for attackers. Huntress analysts identified the intrusion earlier this month and determined that attackers followed a multi-step process. They initially gained entry into the victim’s environment by authenticating to a SonicWall SSLVPN using previously stolen credentials. Once inside, the attackers conducted internal reconnaissance before deploying the EDR killer malware, which contained the vulnerable kernel driver embedded within it. To evade detection, the malware uses a custom encoding mechanism that conceals the driver from security tools. After decoding, the driver is written to disk under a directory that resembles a legitimate OEM component. The file is hidden, its timestamps are copied from an authentic system file to avoid suspicion, and it is registered as a Windows kernel service to ensure persistence across reboots. “Once loaded, the driver exposes an IOCTL interface that allows usermode processes to terminate arbitrary processes directly from kernel mode. This bypasses all usermode protections, including Protected Process Light (PPL) that typically guards critical system processes and EDR agents,” the researchers explained. This attack leverages the Bring Your Own Vulnerable Driver (BYOVD) technique, which enables adversaries to achieve kernel-level access by abusing trusted but flawed drivers. Rather than developing a malicious driver from scratch, attackers reuse legitimate drivers created by hardware vendors or software providers. After such a driver is loaded into the kernel, its vulnerabilities or exposed interfaces can be exploited to disable security tools, weaken system defenses, or directly access system memory. While defenders have been aware of BYOVD attacks for years, mitigating them at scale remains challenging. Windows Driver Signature Enforcement (DSE) can block unsigned or altered drivers, but it does not validate Certificate Revocation Lists (CRLs). “This limitation exists for practical reasons: drivers load early in the boot process before network services are available, and CRL checks would significantly impact boot performance. Even when a CRL is manually imported into local certificate storage, the kernel bypasses this check entirely,” the researchers explained. To address this gap, Microsoft maintains a Vulnerable Driver Blocklist. However, this approach has an inherent weakness: only drivers already identified as malicious are included, leaving a window of opportunity for attackers to exploit new or overlooked drivers. Microsoft also allows certain exceptions to preserve backward compatibility. “Drivers signed with certificates issued before July 29, 2015, that chain to a supported cross-signed certificate authority] are still permitted to load,” the researchers noted. “The EnCase driver’s certificate was issued on December 15, 2006, well before this cutoff.” Huntress believes the attackers’ end goal was to deploy ransomware, but the campaign was stopped before reaching that stage. To reduce risk, the researchers recommend enabling multi-factor authentication across all remote access services and closely reviewing VPN logs for unusual activity. Organizations should also enable Memory Integrity to enforce Microsoft’s Vulnerable Driver Blocklist, watch for suspicious services masquerading as legitimate hardware components, and apply Windows Defender Application Control and Attack Surface Reduction rules to block the loading and abuse of known vulnerable drivers.

Attackers Exploit Revoked EnCase Driver to Disable Endpoint Security Using New EDR Killer Malware #BYOVDAttack #EDRkillermalware #EnCasedriverexploit

New Hacking Tool Lets Ransomware Groups Disable Security Systems   Cybersecurity experts have discovered a new malicious tool designed to shut down computer security programs, allowing hackers to attack systems without being detected. The tool, which appears to be an updated version of an older program called EDRKillShifter, is being used by at least eight separate ransomware gangs. According to researchers at Sophos, the groups using it include RansomHub, Blacksuit, Medusa, Qilin, Dragonforce, Crytox, Lynx, and INC. These criminal gangs use such programs to disable antivirus and Endpoint Detection and Response (EDR) systems software meant to detect and stop cyberattacks. Once these protections are switched off, hackers can install ransomware, steal data, move through the network, and lock down devices. How the Tool Works The new tool is heavily disguised to make it difficult for security software to spot. It starts by running a scrambled code that “unlocks” itself while running, then hides inside legitimate applications to avoid suspicion. Next, it looks for a specific type of computer file called a driver. This driver is usually digitally signed, meaning it appears to be safe software from a trusted company but in this case, the signature is stolen or outdated. If the driver matches a name hidden in the tool’s code, the hackers load it into the computer’s operating system. This technique is called a “Bring Your Own Vulnerable Driver” (BYOVD) attack. By using a driver with security weaknesses, the hackers gain deep control of the system, including the ability to shut down security tools. The driver pretends to be a legitimate file, sometimes even mimicking trusted products like the CrowdStrike Falcon Sensor Driver. Once active, it terminates the processes and services of security products from well-known vendors such as Microsoft Defender, Kaspersky, Symantec, Trend Micro, SentinelOne, McAfee, F-Secure, and others. Shared Development, Not Leaks Sophos notes that while the tool appears in attacks by many different groups, it is not a case of one stolen copy being passed around. Instead, it seems to be part of a shared development project, with each group using a slightly different version — changing driver names, targeted software, or technical details. All versions use the same “HeartCrypt” method to hide their code, suggesting close cooperation among the groups. A Common Criminal Practice This is not the first time such tools have been shared in the ransomware world. In the past, programs like AuKill and AvNeutralizer have been sold or distributed to multiple criminal gangs, allowing them to disable security tools before launching attacks. The discovery of this new tool is a reminder that ransomware operators are constantly improving their methods and working together to overcome defenses. Security experts stress the need for updated protections and awareness to defend against such coordinated threats.

New Hacking Tool Lets Ransomware Groups Disable Security Systems #BYOVDAttack #CyberCrime #DataStolen

Cybercriminals Target Paragon Partition Manager Vulnerability in BYOVD Attacks   It has been reported that threat actors have been actively exploiting a security vulnerability within the BioNTdrv.sys driver of Paragon Partition Manager in ransomware attacks by elevating privileges and executing arbitrary code under the guise of…

Cybercriminals Target Paragon Partition Manager Vulnerability in BYOVD Attacks #BYOVDAttack #CyberCrime #Cybersecurity