qilin-ransomware

Qilin Ransomware Bypasses EDR with Driver Exploit: Stay Protected

Today in Tech

Today in Tech

2 min read
CrowdStrike Achieves 100% Ransomware Protection & EDR Rating
CrowdStrike Achieves 100% Ransomware Protection & EDR Rating

Qilin Ransomware Bypasses EDR with Driver Exploit: Stay Protected

The ransomware landscape is constantly evolving, with cybercriminals developing increasingly sophisticated techniques to evade security measures. One of the latest examples is the Qilin ransomware, which has been observed using a signed driver, tpwsav.sys, to disable Endpoint Detection and Response (EDR) solutions. This allows the ransomware to operate undetected, encrypting files and demanding a ransom.

CrowdStrike Achieves 100% Ransomware Protection & EDR Rating

CrowdStrike Achieves 100% Ransomware Protection & EDR Rating

Understanding the Qilin Ransomware Threat

Qilin, also known as Agenda, is a Ransomware-as-a-Service (RaaS) operation that has been active since mid-2022. It targets various sectors, including healthcare, education, and government, and is known for its aggressive tactics. The group's recent use of the tpwsav.sys driver highlights their commitment to bypassing security controls and maximizing their impact.

  • Qilin operates under a RaaS model, allowing affiliates to launch attacks.
  • It has been linked to attacks on critical infrastructure, including healthcare organizations.
  • The group is constantly evolving its tactics to evade detection.

How the tpwsav.sys Driver is Exploited

The tpwsav.sys driver is a legitimate, signed driver. By exploiting this driver, Qilin ransomware can disable or impair the functionality of EDR solutions. This allows the ransomware to operate without being detected by security software. While specific technical details of the exploit are still emerging, the general approach involves:

  1. Loading the vulnerable driver.
  2. Using the driver's capabilities to terminate or bypass security processes.
  3. Encrypting files without interference from EDR.

Protecting Your Organization

The Qilin ransomware's use of the tpwsav.sys driver underscores the importance of a layered security approach. Relying on a single security solution is no longer sufficient. Here are some steps you can take to protect your organization:

  • Keep EDR solutions up-to-date: Ensure that your EDR software is running the latest version and has the most recent threat intelligence updates.
  • Implement application control: Restrict the execution of unauthorized software to prevent malicious drivers from being loaded.
  • Use multi-factor authentication (MFA): MFA adds an extra layer of security to prevent unauthorized access to systems and data.
  • Regularly back up your data: Backups are essential for recovering from ransomware attacks. Ensure that backups are stored offline and are regularly tested.
  • Train your employees: Educate employees about phishing and other social engineering tactics used by ransomware attackers.
  • Monitor for suspicious activity: Implement security monitoring tools to detect unusual behavior that may indicate a ransomware attack.

Key Takeaways

The Qilin ransomware's use of the tpwsav.sys driver is a reminder that cybercriminals are constantly finding new ways to bypass security controls. By staying informed about the latest threats and implementing a layered security approach, organizations can significantly reduce their risk of falling victim to ransomware attacks.

References

Read more