This analysis examines a recent incident involving Qilin ransomware, highlighting the evolving tactics of cybercriminals to evade Endpoint Detection and Response (EDR) systems. The attackers utilized a previously unknown driver, TPwSav.sys, to disable EDR measures through a technique known as bring-your-own-vulnerable-driver (BYOVD). The report details the entire attack chain, from initial compromise using stolen credentials to the final attempt at deploying ransomware. It emphasizes how rapid isolation of impacted systems and a layered security approach thwarted the attackers. The analysis also provides background on Qilin ransomware, its operation as a ransomware-as-a-service (RaaS), and its targeting patterns. The technical breakdown includes an examination of the EDR bypass technique and the customized version of the EDRSandblast tool used in the attack. Author: AlienVault
Related Tags:
T1562.002
BYOVD
Construction
T1059.001
T1133
raas
ransomware
T1078
T1486
Associated Indicators:
AEDDD8240C09777A84BB24B5BE98E9F5465DC7638BEC41FB67BBC209C3960AE1
011DF46E94218CBB2F0B8DA13AB3CEC397246FDC63436E58B1BF597550A647F6
08224E4C619C7BBAE1852D3A2D8DC1B7EB90D65BBA9B73500EF7118AF98E7E05
31.192.107.144
216.120.203.26