Qilin and Warlock Ransomware: How BYOVD and Delayed Stages Blind EDR — And Why AppGuard Stops Them Early
Imagine a security guard sitting in a control room watching dozens of camera feeds. Suddenly the cables are ripped out and the guard is removed from the room. This is exactly what Qilin and Warlock ransomware do today. Both families use Bring Your Own Vulnerable Driver (BYOVD) techniques to disable EDR tools at the kernel level, then insert long delays before encryption. AppGuard has been warning people for years that delayed stages can evade EDR/XDR and/0r SIEM detection. These campaigns show why that warning matters — and why a controls-based layer is essential.
The Attack Sequences
The table below breaks down the key stages of each campaign using clear Actor → Target → Action (ATA) format. Placeholders for the full UML sequence diagrams are included after the table.
Legend
- dropper.exe = C:\Users\[user]\Downloads\dropper.exe (initial loader on source endpoint)
- legit_app.exe = C:\Program Files\FoxitPDFReader\FoxitPDFReader.exe (legitimate signed application)
- mal_dll.dll = C:\Users\[user]\Downloads\msimg32.dll (malicious side-loaded DLL)
- loader_stageN.exe = In-memory loader component
- service.exe [BYOVD driver] = Vulnerable kernel driver (e.g. C:\Windows\Temp\rwdrv.sys, hlpdrv.sys, or NSecKrnl.sys)
- psexec.exe [Source] = PsExec running on the initial compromised endpoint
- psexec.exe [Target] = PsExec service created on the remote endpoint
- tightvnc.exe = C:\ProgramData\tightvnc.exe (remote access tool)
- ransomware.exe = Dormant ransomware payload (location clarified per row)
ATA Table – Qilin vs. Warlock
| Stage / Phase | Qilin ATA (EDR Killer via msimg32.dll) | Warlock ATA (SharePoint + BYOVD) |
| Initial Drop of Malicious DLL | Actor: dropper.exe
Target: High-risk folder Action: Writes mal_dll.dll to disk |
Actor: dropper.exe
Target: High-risk/temp folder Action: Written to disk and executed |
| Legitimate App Performs DLL Load | Actor: legit_app.exe
Target: mal_dll.dll Action: Loads DLL via search-order side-loading |
(No equivalent side-loading step) |
| Malicious DLL Code Executes | Actor: legit_app.exe (executing mal_dll.dll code)
Target: Real system msimg32.dll Action: Forwards legitimate API calls + runs malicious DllMain |
Actor: dropper.exe
Target: Local system resources Action: Executes and stages components |
| In-Memory Payload Staging | Actor: legit_app.exe (executing loader code)
Target: Memory of legit_app.exe Action: Decrypts and reflective-loads EDR-killer payload |
Actor: dropper.exe
Target: Memory of loader process Action: Stages payloads in memory |
| Vulnerable Driver Write | Actor: EDR-killer component
Target: C:\Windows\Temp\ Action: Writes vulnerable drivers |
Actor: EDR-killer component
Target: C:\Windows\Temp\ Action: Writes NSecKrnl.sys |
| Registry Service Creation | Actor: EDR-killer component
Target: HKLM\SYSTEM\CurrentControlSet\Services\<DriverName> Action: Creates/alters service key |
Actor: EDR-killer component
Target: HKLM\SYSTEM\CurrentControlSet\Services\<DriverName> Action: Creates/alters service key |
| Driver Load into Kernel | Actor: Registered kernel service
Target: Windows kernel Action: Loads service.exe [BYOVD driver] |
Actor: Registered kernel service
Target: Windows kernel Action: Loads service.exe [BYOVD driver] |
| EDR Blinding / Termination | Actor: service.exe [BYOVD driver]
Target: ~300 EDR processes + ETW callbacks Action: Unregisters callbacks + terminates EDR |
Actor: service.exe [BYOVD driver]
Target: EDR processes/services Action: Terminates or disables EDR |
| Lateral Movement – PsExec (Source) | (No lateral movement via PsExec) | Actor: psexec.exe [Source]
Target: Remote registry Action: Creates service key |
| Lateral Movement – PsExec (Target) | (No lateral movement via PsExec) | Actor: psexec.exe [Target]
Target: Remote machine Action: Executes payload |
| Lateral Movement – TightVNC | (No lateral movement via TightVNC) | Actor: tightvnc.exe
Target: Remote machine Action: Establishes remote session |
| Post-Blinding Actions | Actor: ransomware.exe (source endpoint)
Target: Files / shadow copies (after 6-day delay) Action: Encryption |
Actor: ransomware.exe (target endpoint)
Target: Files / network shares (after delay) Action: Encryption |
How AppGuard Stops These Attacks Early
AppGuard’s controls-based protection works at the endpoint level with three simple but powerful launch, contain, and isolation controls. Together, these layered defenses stop both Qilin and Warlock attacks in multiple ways.
- Launch: AppGuard stops both malware by preventing the malicious files cited above from launching and loading from high-risk folders.
- Contain: If a variant should achieve runtime differently — for example, by hijacking a legitimate app such as Chrome — AppGuard would block the malicious actions the hijacked process attempts outside its allowed enclave.
- Isolate: If somehow, someway, the attack managed to get past both launch and contain, AppGuard isolation would stop both attacks by protecting critical registry keys and objects so the compromised process cannot alter them.
Because AppGuard stops the attack at the earliest stages — before any vulnerable driver loads and before any EDR blinding occurs — the attackers’ delayed-stage tactic never gets a chance to matter. The EDR/XDR tools continue sending normal heartbeats, and the ransomware payload never reaches the encryption phase. Additional protection policies can be applied that specifically protect the EDR as well as protect dependent resources such as Windows Event telemetry settings.
This is why organizations running AppGuard alongside their existing detection tools see dramatically fewer successful malware incidents and far less operational chaos.
Ready to add the missing layer that stops what detection misses?
Contact our team at sales@appguard.us or visit www.appguard.us to learn how AppGuard can protect your endpoints today.