The Warlock ransomware group has incorporated BYOVD (Bring Your Own Vulnerable Driver) techniques into its attack chain, targeting EDR agents at the kernel level to disable endpoint visibility before deploying ransomware encryption. No specific EDR vendor or CVE is identified in available source data; the risk applies broadly to any EDR product without kernel-level tamper protection. Immediate action: verify tamper protection is enabled across all endpoints, cross-reference loaded drivers against the Microsoft WDAC blocklist and the LOLDrivers project, and review EDR health telemetry for agents that have gone silent.