Why outdated drivers are now a ransomware weapon

Drivers don't sound dangerous, but in 2026 they've become one of ransomware's favourite tools. The technique is called Bring Your Own Vulnerable Driver (BYOVD), and it works like this: attackers install a driver that is genuinely signed by a real company but has a known security hole. Because Windows trusts signed drivers at the deepest level, the attackers use that hole to switch off your antivirus from the kernel — then encrypt your files unopposed.

This isn't fringe any more. Security researchers found that 54 different "EDR killer" tools abuse 35 vulnerable drivers, and major ransomware operations now bundle them in. One framework ("Gentlemen") can disable more than 400 security processes across 48 products, including Microsoft Defender; the Qilin and Warlock crews use a tool that kills 300+ protection drivers.

What home users can actually do: keep Windows updated (Microsoft ships a vulnerable-driver blocklist that's improved through Windows Update), keep Defender's Tamper Protection on, and keep your drivers current so old, exploitable versions aren't lying around. Most attacks still need an initial foothold — so the anti-scam habits in our ClickFix guide matter too.

Tendvane helps on the maintenance side: it inventories your drivers and flags out-of-date ones against the Microsoft Update Catalog, and its security-posture check confirms Defender and Tamper Protection are actually on.