For a lot of businesses, antivirus still feels like the
safety net. Install the tool, keep it updated, and trust that it will catch
what matters.
That used to be a more comfortable assumption.
Today's ransomware
operators are not just trying to sneak past security tools. They are trying to
shut those tools off before the real damage begins. Recent reporting and threat
research show groups like Qilin and Warlock, both different ransomware strains,
using a tactic called Bring Your Own Vulnerable Driver, or BYOVD,
to disable endpoint detection and response tools early in the attack chain. In
Qilin-related activity,
reporting citing Cisco Talos and Trend Micro described malware capable of
terminating more than 300 EDR drivers, and Cisco Talos found that, in multiple
Qilin ransomware cases, execution occurred on average about six days
after the initial compromise.
That delay gives attackers time to move quietly, expand access, and set the
stage for a much bigger impact. This changes the game of cybersecurity.
That is the part many businesses miss.
Ransomware is no longer just a last-minute encryption
event. It is a campaign. And by the time files are locked, the real failure
happened much earlier.
What BYOVD Means in Plain English
BYOVD sounds technical, but the idea is simple.
Attackers take advantage of a legitimate driver that has a
known weakness. Because drivers operate at a deep level inside Windows, a
vulnerable one can give attackers the power to interfere with security controls
that would normally stop them. In the Qilin and Warlock activity described by
recent researchers, these drivers were used to kill or weaken protective tools
so the attackers could operate with less resistance.
In other words, the criminals are not always trying to beat
the alarm. Sometimes they are walking in and cutting the wires first.
That changes the conversation for business leaders. If
protection begins and ends with an off-the-shelf antivirus tool, that business
may be relying on a single layer against an attacker who already knows how to
neutralize single layers.
Why Traditional Antivirus Alone Is Not Enough
Traditional antivirus still has value, but it was never
designed to carry the full weight of modern ransomware defense on its own.
Sophisticated ransomware groups now use stolen
credentials, DLL sideloading, vulnerable drivers, remote admin tools, lateral
movement frameworks, and data exfiltration utilities as part of a broader
operation. The encryption payload is only one piece of the story. In the
Warlock activity reported by Trend Micro, researchers also saw tools for
persistence, tunneling, lateral movement, and data theft.
That means businesses need to stop asking, "Do we have
antivirus?"
The better question is, "What happens if an attacker gets
around it?"
That is where mature ransomware defense starts to look
different.
What Stronger Ransomware Defense Actually Looks Like
A real defense is layered. It assumes attackers will keep
evolving and builds friction at every stage of the attack.
1. Layered Endpoint Protection
A stronger stack does not
depend on one vendor, one alert, or one detection method. It combines
preventive controls, detection capabilities, and policy enforcement, so one
missed signal does not become a full-blown incident. Zero-trust practices and
tools are becoming essential in a layered security model.
2. Strict Driver Controls
If attackers are abusing vulnerable drivers, driver
governance matters. Recent guidance tied to these BYOVD attacks recommends
allowing only signed drivers from explicitly trusted publishers, monitoring
driver installation events, and maintaining strong patching practices for
software with driver-based components.
3. Behavior-Based Monitoring
Modern attacks do not always announce themselves with
obvious malware signatures. They often show up first as suspicious behavior:
unusual privilege escalation, abnormal service creation, unexpected driver
loading, or activity that suggests lateral movement. Behavior-based monitoring
helps catch what signature-based tools alone can miss. Cisco Talos and Trend
Micro both emphasize the sophistication of the evasion and defense-disabling
techniques seen in these campaigns.
4. Immutable Backups
Backups matter, but not all backups are
equal. If attackers can alter or delete them, they may not be there when the
business needs them most. Immutable backups create a much stronger recovery
position by making backup data resistant to tampering.
5. Rapid Response
When Talos observed that Qilin ransomware execution often
happened days after the first compromise, the lesson was clear: speed matters
before encryption ever begins. The earlier suspicious behavior is investigated
and contained, the lower the odds that an attacker gets the time needed to
spread and do lasting damage.
The Bigger Lesson: Threats Are Getting More Aggressive Across the Board
Businesses should also pay attention to the broader threat
landscape, not just ransomware headlines. This week, US agencies warned that Iranian-affiliated cyber actors
targeted programmable logic controllers across US critical infrastructure, including energy and
water sectors, and said some incidents resulted in operational disruption and
financial loss. That campaign is different from ransomware, but the message is
the same: attackers are becoming more intentional, more disruptive, and more
willing to go after the systems organizations depend on most.
For business leaders, that is the real takeaway.
Cyber threats are not staying in one
lane. The
playbooks are expanding. The methods are getting bolder. And defenses have to
evolve with them.
What an MSP Should Be Doing Differently
This is where the right managed services partner makes a
real difference.
A strong MSP does more than install tools and wait for alerts. It helps
businesses build a practical security posture around the way real attacks
unfold. That includes:
- Layering endpoint protection
instead of relying on one control
- Locking down driver and
application behavior
- Watching for suspicious activity,
not just known malware
- Protecting backups from tampering
- Responding quickly when early
indicators appear
- Reducing the time attackers have
to move, hide, and escalate
That approach is stronger because it is built for reality.
It recognizes that ransomware is not just a software problem. It is an
operations problem, a visibility problem, and a response problem.
A Simple Ransomware Readiness Checklist
Not every business needs a giant security overhaul to start
improving. A few practical questions can reveal whether serious gaps exist.
Ransomware Readiness Checklist
- Are only approved and trusted
drivers allowed on business systems?
- Is there visibility into unusual
driver installs, service creation, or privilege escalation?
- Are endpoint protections layered,
or is protection mostly dependent on one tool?
- Are backups immutable and
regularly tested for recovery?
- Are critical systems patched on a
disciplined schedule?
- Is there a clear plan for rapid
containment if suspicious activity appears?
- Has the business reviewed whether
stolen credentials could be used to gain initial access?
- Are users, admins, and vendors
all operating with the minimum access they actually need?
If too many of those answers are unclear, that is the
problem.
Because uncertainty is exactly what attackers count on.
The Bottom Line
Businesses do not need more noise. They need a defense
strategy that matches the way threats work now.
Ransomware groups are actively finding ways to blind
traditional security tools before launching the attack that gets all the
attention. That means businesses need more than antivirus. They need layered
protection, strict controls, better monitoring, resilient backups, and a
response plan that moves fast.
The good news is that ransomware readiness is not out of reach. But it does require looking beyond the checkbox and asking whether the environment is truly built to withstand a modern attack.
Want to know how prepared the business really is? Schedule a free cybersecurity assessment to identify weak points,
review backup resilience, and build a smarter defense before an attacker finds
the gaps first.
Citations:
Greenberg, A. (2026, April 7). Iran-Linked Hackers Are Sabotaging U.S. Energy and Water Infrastructure. Wired. https://www.wired.com/story/iran-linked-hackers-are-sabotaging-us-energy-and-water-infrastructure/
Lakshmanan, R. (2026, April 6). Qilin and Warlock Ransomware Use Vulnerable Drivers to Disable 300+ EDR Tools. The Hacker News. https://thehackernews.com/2026/04/qilin-and-warlock-ransomware-use.html?m=1
Nutland, J., Takeda, T.,
Unterbrink, H., & Khodjibaev, A. (2026, April 2). An overview of
ransomware threats in Japan in 2025 and early detection insights from Qilin
cases. Cisco Talos Blog.
https://blog.talosintelligence.com/an-overview-of-ransomware-threats-in-japan-in-2025-and-early-detection-insights-from-qilin-cases/
