VEN0m Ransomware: Weaponizing Signed Drivers for Defense Evasion
Hook
Most ransomware tries to hide from antivirus software. VEN0m takes the opposite approach: it physically destroys the AV installation files on disk using the vendor’s own signed kernel driver.
Context
Traditional ransomware evasion techniques rely on memory manipulation, process injection, or hooking kernel functions to avoid detection. The problem? Modern EDR solutions monitor these exact behaviors. Projects like AV-EDR-Killer demonstrated that exploiting vulnerable drivers to call ZwTerminateProcess could kill security processes, but defenders quickly adapted by hooking these kernel functions and monitoring for suspicious memory operations.
VEN0m represents a conceptual shift in the BYOVD (Bring Your Own Vulnerable Driver) technique. Instead of terminating processes or patching memory—both high-visibility operations that trigger behavioral detections—it exploits CVE-2025-26125 in IObit Malware Fighter v12.1.0’s IMFForceDelete.sys driver to force-delete locked files with kernel privileges. The irony is deliberate: using an anti-malware product’s own driver to disable defenses. By targeting installation folders and executables on disk rather than running processes in memory, VEN0m operates in what the author identifies as a detection blind spot. The corrupted processes slowly degrade until they stop functioning, creating an opportunity to deploy the ransomware payload without triggering real-time monitoring.
Technical Insight
VEN0m’s architecture is built around four core stages: UAC bypass, driver loading, defense neutralization, and encryption with persistence. Each component demonstrates pragmatic offensive tradecraft.
The UAC bypass hijacks Slui.exe, a digitally signed Microsoft binary that supports auto-elevation. When invoked with the runas verb under an administrative context, Slui.exe attempts to open a registry key at HKCU\Software\Classes\Launcher.SystemSettings\Shell\Open\Command that doesn’t exist by default. VEN0m creates this key structure and inserts a DelegateExecute value pointing to the malware binary. When Slui.exe executes with elevated privileges, it delegates execution to the payload without triggering a UAC prompt. The implementation is registry manipulation, making it resistant to behavioral heuristics that flag process injection or memory manipulation.
Once running with High integrity, VEN0m extracts the embedded IMFForceDelete.sys driver to the temp folder and creates a kernel service with a disguised name like MicrosoftUpdate11.01. The driver loading logic includes defensive checks: it verifies if the service already exists to avoid duplicate installations and can restart the service if it’s stopped. This operational hygiene prevents common deployment failures in automated attack scenarios.
The defense evasion mechanism is the technical centerpiece. VEN0m targets installation folders defined in a customizable constant:
const TARGETS: &[&str] = &[
r"C:\Program Files (x86)\Kaspersky Lab",
r"C:\Program Files\Bitdefender",
r"C:\Program Files\Bitdefender Agent",
r"C:\Program Files\Windows Defender",
];For each target, it invokes DeviceIoControl with IOCTL code 0x8016E000, passing a wide Unicode string pointer to the file path and the byte length:
DeviceIoControl(
hDriver,
0x8016E000,
wstr_file.as_ptr() as LPVOID,
(wstr_file.len() * 2) as u32,
ptr::null_mut(),
0,
&mut bytes_returned,
ptr::null_mut()
)The multiplication by 2 accounts for Rust’s UTF-16 encoding where each u16 element occupies 2 bytes. The vulnerable driver processes this IOCTL in kernel mode and force-deletes the target file regardless of access controls or file locks. Unlike process termination techniques that trigger function hooks on ZwTerminateProcess, or memory patching that leaves forensic artifacts in kernel memory, this approach manipulates the filesystem directly. The corrupted AV processes continue running but gradually fail as their dependencies disappear.
The encryption module scans specified drives for files matching targeted extensions while respecting an exclusion list to avoid system instability. Files are encrypted using a hardcoded 32-byte key:
const KEY: &[u8; 32] = b"G7m9Xq2vR4pL8bF1sW0cZ6kD3jN5yH8u";Encrypted files receive a .vnm extension. The key, extensions, and exclusions are compile-time constants, making VEN0m a framework for customization rather than a turnkey attack tool. Persistence is established through Winlogon Userinit registry hijacking at HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon. The malware appends its path to the legitimate userinit.exe value (comma-separated), ensuring execution on every user login. A copy is dropped to %LOCALAPPDATA% for reliability.
The ransom note deploys as a GUI application with scheduled task execution. A separate decryption tool, Antid0te.exe, is included for file recovery—a necessity for any proof-of-concept that claims educational intent.
The choice of Rust provides memory safety guarantees that eliminate entire vulnerability classes (buffer overflows, use-after-free) that plague C/C++ malware. Rust’s zero-cost abstractions allow low-level system programming without runtime overhead. The modular constant-based configuration (TARGETS, KEY, EXCLUSIONS) demonstrates software engineering discipline uncommon in proof-of-concept malware.
Gotcha
The hardcoded encryption key stored in plaintext within the binary is a critical weakness. Any reverse engineer with access to the executable can extract the 32-byte key using basic static analysis tools like strings or a hex editor. The author’s claim of educational use rings hollow when decryption depends on this accessible key—real ransomware uses asymmetric cryptography where decryption keys never touch the victim’s system. The README warns users to ‘save your encryption key so you can decrypt your files using the Antid0te.exe decryptor,’ suggesting the key’s extractability is a known limitation.
The BYOVD technique has a built-in expiration date. The IMFForceDelete.sys driver is currently not on Microsoft’s blocklist according to the README, but once added—a routine response to published CVEs—the entire evasion mechanism fails. Windows will refuse to load the driver, and VEN0m reverts to being detectable ransomware without any defensive countermeasures. The author’s test results (evasion against BitDefender and Kaspersky as of the February 23, 2026 initial release date) represent a snapshot in time, not durable capabilities. The testing matrix shows mixed results with Microsoft Defender (evasion works, but UAC bypass behavior differs).
Physically deleting files on disk creates forensic evidence that differs from memory-only attacks. While the technique may evade real-time behavioral detection by avoiding hooked kernel functions, the filesystem modifications leave traces. The technique trades one form of detection (behavioral monitoring of process/memory manipulation) for another (filesystem analysis), making it effective against certain defensive postures but not universally stealthy.
Verdict
Use if: You’re a security researcher analyzing BYOVD techniques for defensive purposes, building detection signatures for file-deletion-based AV evasion, or conducting authorized red team operations in isolated lab environments where you’ve received explicit written permission and have proper legal indemnification. The Rust implementation provides a clean reference for understanding how modern malware leverages memory-safe languages for system-level attacks. Skip if: You’re looking for production-ready offensive tools (the hardcoded key creates significant limitations), you lack formal authorization and legal cover (possession alone creates criminal liability in most jurisdictions), or you want durable evasion techniques (the driver may be blocklisted, rendering this ineffective once defensive measures update). This is fundamentally a time-limited proof-of-concept that demonstrates a clever detection gap rather than a sustainable attack methodology. Defenders should study it to understand filesystem-level evasion vectors; everyone else should recognize it as legally and ethically sensitive material that provides minimal practical value beyond its narrow research window.
