Interlock Ransomware Uses BYOVD Anti-Cheat Driver Flaw to Disable EDR
Fortinet/FortiGuard Labs reported that the Interlock ransomware group—described as a smaller, non-RaaS operation—ran a months-long intrusion campaign primarily targeting the education sector in the US and UK. Initial access was observed via MintLoader, including “ClickFix” social-engineering lures, followed by post-compromise activity using a JavaScript implant referred to as NodeSnakeRAT, lateral movement with valid accounts and living-off-the-land techniques, and broad discovery prior to impact. The operation follows a double-extortion pattern, with data exfiltration (including use of AZcopy) preceding ransomware deployment, and has been observed impacting both Windows endpoints and Nutanix hypervisor environments.
A key technical finding is Interlock’s use of a Bring Your Own Vulnerable Driver (BYOVD) technique to neutralize endpoint defenses. Researchers identified a custom tool dubbed “Hotta Killer” (associated with polers.dll) that drops a kernel driver UpdateCheckerX64.sys, described as a renamed vulnerable anti-cheat driver (GameDriverx64.sys, CVE-2025-61155). Because the driver is legitimate and digitally signed, it can pass initial trust checks; once loaded, it is abused for kernel-level process termination to kill EDR/AV processes, with reporting noting targeting of Fortinet security tooling specifically, enabling subsequent ransomware execution with reduced detection and response capability.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
6 events from the most recent confirmed update back to the earliest known activity.
Fortinet discloses Hotta Killer BYOVD technique tied to Interlock
Fortinet publicly reported that Interlock used a custom EDR/AV killer called Hotta Killer, which exploited a zero-day in the signed anti-cheat driver GameDriverx64.sys via a BYOVD technique. The flaw was tracked as CVE-2025-61155 and was used to terminate security software, including Fortinet products, at kernel level.
Attackers create thousands of rogue domain accounts after encryption
Following the start of encryption, the attackers generated roughly 5,000 rogue domain user accounts. The purpose was unclear, but FortiGuard suggested it may have been intended to create confusion or hinder incident response.
Interlock launches ransomware on Nutanix and Windows systems
On October 10, 2025, Interlock began encryption using a Linux encryptor against Nutanix servers and a JavaScript payload called jar.jar against Windows endpoints. The operation affected both hypervisor and endpoint environments.
Interlock escalates to large-scale data exfiltration with AZcopy
By September 2025, the attackers had escalated the intrusion by exfiltrating more than 250 GB of data using AZcopy to cloud storage. This activity supported the group's double-extortion model before encryption was launched.
Attackers establish persistence with NodeSnake RAT
After initial access, Interlock deployed a custom JavaScript implant known as NodeSnake RAT to maintain long-term access and support lateral movement using valid accounts and living-off-the-land techniques.
Interlock begins intrusion via MintLoader in education-sector victim
FortiGuard Labs reported that an Interlock ransomware intrusion against the education sector began with a MintLoader infection, likely delivered through ClickFix social engineering. The campaign targeted education organizations in the U.S. and U.K.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
3 references tracked. Mallory keeps watching after this page renders.
Interlock ransomware bolsters stealth in new attacks | SC Media
scworld.com
Open sourceInterlock Ransomware Actors New Tool Exploiting Gaming Anti-Cheat Driver 0-Day to Disable EDR and AV
cybersecuritynews.com
Open sourceGame Over: Interlock Ransomware Weaponizes Anti-Cheat Zero-Day to Kill EDR
securityonline.info
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Black Basta Embeds BYOVD Driver Inside Ransomware Payload to Disable EDR
**Black Basta** ransomware operators have been observed embedding a **Bring Your Own Vulnerable Driver (BYOVD)** component directly inside the ransomware payload, a shift from the more common approach of deploying an external “EDR killer” tool prior to encryption. The technique abuses a legitimate, signed but vulnerable Windows driver to gain **kernel-level** privileges and terminate security tooling (AV/EDR) on the victim host, reducing the chance defenders can stop the attack before encryption begins. Reporting attributes the finding to analysis by **Symantec** (and the **Carbon Black Threat Hunter Team**), which described the embedded-driver approach as a notable evolution in Black Basta tradecraft and consistent with broader ransomware trends toward BYOVD-based defense evasion. One account also links the activity to the **Cardinal** cybercrime group and notes the behavior had not been seen in prior Black Basta campaigns, suggesting either a retooling or a renewed operational tempo that could be adopted by other ransomware families seeking to reliably neutralize endpoint protections.
Mar 21, 2026
ESET Research Finds BYOVD Dominates EDR Killer Use in Ransomware Intrusions
**ESET Research** reported that **EDR killers** have become a standard component of modern ransomware operations, with attackers routinely disabling endpoint detection and response tools before launching encryptors. Across nearly 90 EDR killer tools observed in the wild, 54 were found to use the **Bring Your Own Vulnerable Driver (BYOVD)** technique, abusing 34 signed but vulnerable drivers to obtain kernel-level privileges and tamper with security products. The research says this approach is especially attractive to ransomware affiliates because it creates a short, reliable window for encryption while avoiding the need to constantly rebuild encryptors to evade detection. The reporting also highlights how **ransomware-as-a-service** operations contribute to the diversity of EDR killer tooling: operators typically provide the encryptor and infrastructure, while affiliates choose the EDR-disabling utility used during an intrusion. Although BYOVD remains the dominant method because of its reliability and relatively low development cost, researchers also observed a growing set of tools that disable protections without loading drivers, including methods that disrupt EDR communications, suspend processes, or abuse built-in administrative utilities. The findings reinforce that vulnerable-driver abuse remains a key defensive gap, while non-kernel alternatives are also expanding the range of pre-encryption attack techniques defenders must monitor.
Apr 14, 2026
Reynolds Ransomware Uses BYOVD via NsecSoft NSecKrnl Driver to Kill EDR Processes
**Reynolds**, an emerging ransomware family, has been reported using a **Bring Your Own Vulnerable Driver (BYOVD)** technique by bundling a legitimate-but-flawed kernel driver (*NsecSoft* `NSecKrnl`) directly inside the ransomware payload to evade defenses. The driver vulnerability, tracked as **CVE-2025-68947** (reported CVSS **5.7**), can be abused to terminate arbitrary processes, enabling Reynolds to disable endpoint security tooling before encryption activity proceeds. Reporting indicates Reynolds drops the vulnerable `NSecKrnl` driver and then targets processes associated with multiple security products (including **Avast**, **CrowdStrike Falcon**, **Palo Alto Networks Cortex XDR**, **Sophos**/*HitmanPro.Alert*, and **Symantec Endpoint Protection**). Researchers noted that embedding the BYOVD component within the ransomware payload (rather than deploying a separate pre-ransomware killer tool) has precedent in prior ransomware activity (e.g., **Ryuk** and **Obscura**), and the same driver has also been associated with activity attributed to the **Silver Fox** threat actor in other campaigns.
Mar 21, 2026