Ransomware Operators Abuse Signed Windows Drivers to Disable Security Software | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #ransomware


Defense evasion has quietly become one of the most consequential stages of advanced cyber intrusions. As endpoint protections have grown harder to bypass, attackers stopped trying to hide and started switching defenses off.

In many modern ransomware attacks, disabling antivirus (AV) and endpoint detection and response (EDR) agents is now a standard step.

A single technique has risen to dominance: Bring Your Own Vulnerable Driver (BYOVD). Over the past three years BYOVD has spread widely.

Attackers drop legitimate, digitally signed kernel drivers that contain flaws, then exploit those flaws to gain control of the Windows kernel.

Once in the kernel, they operate with the highest privileges and can blind or kill the very products meant to stop them.

Windows separates software into user mode and kernel mode. User mode applications run with limits; kernel mode code runs with almost no restrictions.

A process running in kernel mode can read or change almost anything on the machine, including the internal data structures that security products use to observe system activity.

Third-party drivers are trusted by design. If an attacker already has administrator access on a machine, they can drop a signed but vulnerable driver and load it.

Windows accepts signed drivers and the kernel treats them as trusted. The attacker then sends specially crafted commands (IOCTLs) to the driver that trigger the vulnerability.

The driver performs privileged actions on the attacker’s behalf actions ordinary programs cannot do.

Typical outcomes include forcibly killing AV/EDR processes, removing the permissions those agents need to operate, or tampering with kernel records so the security product no longer receives notifications about system events.

In practice, that can leave an endpoint appearing protected while it is effectively blind.

Ransomware Abuses Signed Drivers (Source: security)

Microsoft treats administrator-to-kernel actions as not being a security boundary for the NT kernel, which means fixes for these abuses may arrive outside the standard vulnerability response process.

Kernel hardening helps, but it cannot be the primary defense against these active threats.

Ransomware Abuses Signed Drivers (Source: security)
Ransomware Abuses Signed Drivers (Source: security)

Reactive measures struggle. Microsoft’s Vulnerable Driver Blocklist prevents known drivers from loading, but there’s often a lag between discovery and blocklist deployment, and only a subset of drivers is ever blocklisted.

Signature-based detection also fails often: BYOVD tooling is quickly reimplemented in new languages or recompiled, changing hashes and evading static signatures.

Behavioral detection gives defenders a more resilient advantage. Instead of only checking which drivers are present, monitoring how drivers are used reveals malicious patterns.

Abnormal IOCTL traffic requests to terminate security processes, remove callbacks, or strip handles—is suspicious regardless of which driver emits it.

Behavioral rules can flag or block attempts to use drivers to attack security agents, covering unknown or newly emerging vulnerable drivers immediately.

Follow us on Google News , LinkedIn and X to Get More Instant UpdatesSet Cyberpress as a Preferred Source in Google.

——————————————————–


Click Here For The Original Source.

.........................

National Cyber Security

FREE
VIEW