Neat Digest  ·  Archive  ·  Open in app ↗

Ransomware Uses Microsoft-Signed Driver to Disable EDR on 10 Hosts

Score 6.4/10 · 1 sources · July 10, 2026
Ransomware Uses Microsoft-Signed Driver to Disable EDR on 10 Hosts

A ransomware operation has been discovered using a Microsoft-signed malicious kernel driver to disable endpoint detection and response (EDR) systems on targeted hosts. The attack, which has evolved over four years, compromised at least 10 hosts before encryption was deployed. The driver was signed with a valid Microsoft certificate, allowing it to bypass security controls and terminate EDR processes. This marks a significant escalation in ransomware tactics, as it is the first known instance of a signed driver being used to kill EDR. The operation appears to be highly targeted, focusing on specific organizations. Security researchers are investigating the source of the signed driver and the full scope of the campaign.

Global Impact

This development has significant implications for the cybersecurity industry and enterprise security practices. Economically, it could drive increased spending on advanced threat detection and response solutions, benefiting vendors like CrowdStrike, SentinelOne, and Microsoft itself.