The shift matters because it compresses the time between initial access and the point at which files are encrypted. Once inside a network, operators can use command shells, batch scripts, registry changes, PsExec, Windows Management Instrumentation and service control mechanisms to gain elevated privileges, weaken protections and fan out across the estate. Microsoft described one 2025 case in which attackers used cmd. exe and batch scripts, abused services. exe to alter Defender settings through registry changes, escalated to SYSTEM with PsExec and then distributed ransomware through Group Policy modifications.
What makes the method particularly effective is that the tooling often looks legitimate at first glance. A signed driver or a familiar administrative binary is not inherently malicious, but attackers can bend it to malicious ends. CrowdStrike and Cisco Talos have both highlighted the growing abuse of Bring Your Own Vulnerable Driver, or BYOVD, in which threat actors deliberately install a legitimate driver with a known flaw and exploit it to gain kernel-level power, bypass code-signing restrictions or terminate protected security processes. That gives ransomware crews a direct route to blinding EDR and AV products before the encryption stage begins.
Several ransomware families now appear to treat defence impairment as a standard part of the playbook rather than an optional extra. Trend Micro’s profiling of RansomHub said the group used a batch file named disableAV. bat, the STONESTOP and POORTRY toolset, TDSSKiller, TOGGLEDEFENDER and EDRKillShifter to terminate or evade security products. Unit 42, in separate reporting on BlackSuit activity linked to Ignoble Scorpius, said operators used the same vulnerable-driver approach to disable or evade antivirus and EDR tools while also moving laterally with PsExec, RDP and SMB.
Government advisories suggest the trend has spread across multiple crews. Singapore’s Cyber Security Agency warned in August 2025 that a new EDR-killer tool, believed to be an evolution of EDRKillShifter, had been used by at least eight ransomware groups including BlackSuit, RansomHub, Medusa, Qilin, Dragonforce, Crytox, Lynx and INC. The agency said the tool is designed to disable endpoint visibility before ransomware or other malware is deployed, creating a blind spot that sharply reduces the effectiveness of conventional defences.
That evolution reflects a broader change in ransomware operations. Human-operated attacks have long depended on stolen credentials, privilege escalation and lateral movement, but the newer layer is the systematic dismantling of security controls before the final payload runs. Microsoft’s long-running work on human-operated ransomware framed these campaigns as hands-on-keyboard intrusions, while newer casework shows the same model becoming more refined through the use of trusted Windows components and commercial or open-source utilities that administrators themselves may use. The result is a thinner line between normal administration and hostile activity, complicating detection for security teams already dealing with alert fatigue.
The business backdrop is equally sobering. Sophos said its 2025 global ransomware study drew on responses from 3,400 IT and cyber-security leaders across 17 countries whose organisations had been hit in the preceding year, while its enterprise-focused 2025 study described ransomware as one of the most pressing security challenges facing large organisations entering 2026. Those findings do not prove that every attack used Windows-native tools to impair defences, but they underline the scale of the threat environment in which such techniques are becoming more valuable to attackers.
Defenders are responding by pushing organisations to harden the operating system features that attackers commonly abuse. Microsoft says its vulnerable driver blocklist is enabled by default on supported Windows 11 systems and recommends applying the latest block rules where possible, though it cautions that blocking drivers can create compatibility problems and will not catch every flawed driver in circulation. In parallel, Microsoft has urged customers to enable tamper protection, cloud-delivered protection, Credential Guard, LSA protection, attack surface reduction rules and EDR block mode so that endpoint products can still act even if traditional antivirus is weakened.
Follow Arabian Post
Select Arabian Post as your preferred source on Google and MSN News for trusted business news and Arab politics and updates.
