Windows: New Ransomware Variant Bypasses Defender — What to Check Now

A new ransomware strain is using signed Windows drivers to disable Microsoft Defender before encrypting files. Here's how to detect it and what compensating controls to deploy.

Elevate Solutions

April 22, 2026 · 6 min read

The technique

The variant abuses a legitimately signed but vulnerable driver (a "bring your own vulnerable driver" attack) to terminate Defender and other security agents from kernel space before encryption begins.

What to check now

Confirm tamper protection is enabled on Defender and your EDR
Enable Microsoft's vulnerable driver blocklist
Alert on security-service stop events and unexpected driver loads
Verify your EDR reports to a console the attacker can't reach from the endpoint

If you're a managed client

These controls are part of our standard hardening. If you're not sure yours are in place, call us — we'll verify today.

Elevate Solutions

Security & IT Advisory Team

Threat Intelligence

Threat Actor Spotlight: Scattered Spider — How They Breach Companies Like Yours

Scattered Spider is the threat group behind some of the most devastating breaches of 2025–2026, including attacks on major enterprises and dozens of mid-market companies. Here's how they operate and how to defend.

April 21, 2026 · 8 min

Threat Intelligence macOS

Yes, Your Mac Gets Malware — Here Is How It Actually Happens

The idea that Macs don't get viruses is the most dangerous myth in cybersecurity. Mac-targeted malware rose sharply year over year. Here's how modern Mac malware works.

April 21, 2026 · 10 min

Threat Intelligence

QR Code Phishing (Quishing): The Attack Your Email Security Misses

Attackers are embedding malicious QR codes in emails and documents to bypass URL scanning. Your email security cannot read QR codes — here's why this attack is surging and what to do.

April 20, 2026 · 5 min