DcodeZer0

┌──[root@dcodezero] └──╼ # Hacker | RedTeam | PenTester | CTFPlayer | HackTheBox

Let’s get one thing straight: if your EDR is your last line of defense, you’ve already lost. The Gentlemen — a ransomware-as-a-service crew that barely existed six months ago — just demonstrated that in the most painfully public way possible. They’re running a database of 14,700 compromised FortiGate devices, walking past authentication with CVE-2024-55591, and then — the cherry on top — unloading your endpoint detection at the kernel level using a technique that’s been documented since 2021. BYOVD. Bring Your Own Vulnerable Driver.

And your organization is probably still not ready for it.

1. What BYOVD Actually Is (And Why Everyone Gets It Wrong)

Half the industry treats BYOVD like it’s some exotic APT technique reserved for nation-state actors. It isn’t. It’s a legitimate, signed Windows driver — usually pulled from a vendor like GIGABYTE, Micro-Star, or any number of hardware OEMs — that contains a known vulnerability allowing kernel-level read/write primitives.

Here’s the attack flow in plain English:

  1. Attacker drops a known-vulnerable, legitimately-signed driver onto disk.
  2. Windows loads it without complaint — it’s signed, after all.
  3. Attacker exploits the driver’s vulnerability to get kernel-level access.
  4. With kernel access, they enumerate and terminate EDR/AV processes from below — a layer the security tools themselves cannot see.
  5. Ransomware deploys in a now-naked environment.

The reason this works is structural. Windows allows loading signed drivers. Old drivers with CVEs don’t get revoked quickly, or at all. And once you’re in kernel space, you’re God. Your EDR, your antivirus, your fancy behavioral engine — they all run in userland. You terminate them from kernel and they can’t fight back. They don’t even know what happened.

2. The Gentlemen RaaS: A Case Study in How Fast This Scales

Group-IB dropped their analysis of “The Gentlemen” this week and the numbers are alarming. This group is barely 8 months old. They emerged from a payment dispute on the RAMP cybercrime forum — their operator literally complained that Qilin ransomware stiffed them $48k in affiliate commissions — and within months they’re running a full RaaS operation hitting 94+ organizations.

Their kill chain:

  • Initial Access: CVE-2024-55591 (FortiOS/FortiProxy auth bypass) — they have a pre-built database of 14,700 exploited devices and 969 validated brute-forced VPN creds, ready to deploy.
  • Privilege Escalation: Standard post-exploitation tooling.
  • Defense Evasion: BYOVD to kill security processes at kernel level.
  • Impact: Ransomware deployment in a now-defenseless environment.

The fact that a group this new is already running BYOVD at scale should terrify you. This technique has moved from “nation-state TTPs” to “RaaS affiliate starter pack” in under three years.

Reynolds ransomware, documented in February 2026, used the same technique — embedding a vulnerable driver directly in the ransomware binary. BYOVD isn’t a bonus feature anymore; it’s table stakes.

3. The Vendor Ecosystem Is Broken and Nobody Wants to Say It

Here’s the controversial take: the Windows driver signing ecosystem is fundamentally broken for security purposes.

Microsoft runs a blocklist — the Vulnerable Driver Blocklist — for drivers known to be abused in BYOVD attacks. It’s updated periodically. The problem? Attackers update their driver inventory faster. By the time a driver gets added to the blocklist, it’s already been used in a dozen campaigns. Variants and older versions slip through constantly.

Worse, enterprise environments routinely have exceptions and legacy hardware that require older drivers to function. Your industrial control system’s HMI running on Windows 10 with a 2019 SCADA driver isn’t getting updated. Ever. And that driver might be on the BYOVD hit list.

The underlying issue: Microsoft cannot revoke driver signing certificates retroactively without potentially breaking legitimate hardware. This is a genuine dilemma and not one that has a clean solution. But let’s stop pretending the current blocklist approach is adequate. It isn’t.

4. What Red Teamers Need to Know Right Now

If you’re doing red team engagements and not including BYOVD in your evasion toolkit in 2026, you’re not simulating realistic threats.

The practical red team flow:

  • Use LOLDrivers.io to find drivers with known kernel exploitation primitives.
  • Tools like KDMapper (for manual mapping) or purpose-built BYOVD loaders handle the driver loading step.
  • Once in kernel, EDR termination is typically done by hunting ObRegistrationCallbacks, removing callbacks registered by security products, or directly killing their processes from kernel context.
  • The gold standard right now is targeting the minifilter callbacks that EDRs use for filesystem monitoring — remove those and file-based detections go blind.

What defenders can actually do:

  • Enable HVCI (Hypervisor-Protected Code Integrity) — this prevents loading unsigned or vulnerable drivers in many configurations. Yes, it has compatibility issues. Deal with them.
  • Audit your attack surface with Sigcheck and DriverQuery regularly. Know what’s loaded.
  • Subscribe to Microsoft’s WDAC policy updates and actually apply the vulnerable driver blocklist.
  • Monitor for rare driver loads — your production environment shouldn’t be loading GIGABYTE OC SDK drivers at 2 AM.
  • Implement kernel tamper protection — CrowdStrike, SentinelOne, and Microsoft Defender for Endpoint all have kernel-protection modes that are harder (not impossible) to defeat.

5. The Uncomfortable Truth About EDR Confidence

The security industry has sold EDR as the answer to everything for the better part of a decade. “Deploy EDR and sleep soundly.” The reality is that every EDR vendor knows BYOVD is a solved bypass for their product in many configurations. They just don’t lead with that in the sales deck.

Modern threat actors have a menu of BYOVD drivers to choose from. When one gets blocked, they swap to another. The asymmetry is brutal: defenders must block every variant; attackers only need one that works.

This doesn’t mean EDR is useless — it absolutely raises the bar for commodity attackers. But The Gentlemen crew isn’t commodity. And they’re not state-sponsored either. They’re a 20-person shop that formed because someone didn’t get paid their ransomware cut. If they can run BYOVD at scale, assume every serious threat actor can.

Key Takeaways

  1. BYOVD is mainstream — ransomware affiliates, not just APTs, are using it routinely in 2026.
  2. Enable HVCI if you haven’t. Every compatibility headache is worth it.
  3. Monitor driver loads — anomaly detection on driver events catches a lot of early-stage BYOVD.
  4. Your EDR is not kernel-proof — layer your defenses accordingly; assume breach.
  5. Red teamers: add BYOVD to your standard engagement playbook — if you’re not testing this, your clients have a false sense of security.
  6. 14,700 compromised FortiGate devices sitting in a criminal database is a reminder: patch your perimeter now. CVE-2024-55591 is not new. There’s no excuse.

The threat landscape in 2026 isn’t about zero-days and nation-state magic. It’s about commodity attackers weaponizing known techniques with industrial efficiency. BYOVD has been known for years. It’s being used right now, today, against real organizations, by groups that formed out of a payment dispute on a hacker forum.

If that doesn’t motivate patching and HVCI rollout, I don’t know what will.

References: Group-IB analysis of The Gentlemen RaaS (March 2026), The Hacker News ThreatsDay Bulletin (March 19, 2026), LOLDrivers project, Microsoft Vulnerable Driver Blocklist documentation.

You may also enjoy