Article Banner

VEN0m Ransomware: BYOVD-Enabled File Encryption with AV/EDR Neutralization

Published on March 19, 2026 | By Focused Hunts

A new ransomware tool combines multiple attack techniques to lock files while actively dismantling security protections on targeted systems. VEN0m targets Windows computers by first neutralizing installed security software through a legitimate but flawed hardware driver, then encrypting personal and business files across multiple storage drives. The tool gained attention in early 2026 for its ability to bypass several major commercial security products during controlled testing.

Think of VEN0m as a burglar who steals a master key from the building's own maintenance crew. Instead of picking locks, the attacker uses the building's trusted tools to disable the alarm system first, then methodically locks every filing cabinet with a new combination only the burglar knows. Because the key is legitimate, the building's own security systems never raise an alarm.

Organizations affected by VEN0m face immediate loss of access to documents, images, and critical data files across workstations. The ransomware establishes multiple survival mechanisms to persist through system restarts, making simple cleanup insufficient. Full recovery requires system rebuilds, password resets, thorough system inspections, and restoration from verified offline backups, as the encryption method used is strong enough that decryption without the original key is not feasible.

Hunting Controls & Observations

Organizations can detect VEN0m through multiple telemetry sources:

  • Endpoint Controls: Windows Security Event Log (Event IDs 4688, 7045), Sysmon (Events 1, 6, 11, 12, 13, 23), EDR/XDR platforms with kernel-level visibility, PowerShell operational logs
  • Identity & Access Controls: Windows Security Event Log (Event IDs 4624, 4672 for UAC elevation), User Account Control event logs, privilege assignment auditing
  • Application Controls: Windows Task Scheduler operational log, scheduled task creation auditing, application allowlisting enforcement logs

Behavioral Indicators of Attack

  • Vulnerable Driver Extraction to Temporary Directory (Endpoint): VEN0m extracts an embedded driver binary (IMFForceDelete.sys) to the system temp directory with a disguised filename (MicrosoftUpdate11.01.sys). Detection focuses on .sys file creation in temp directories by non-installer processes.
  • Kernel Service Registration from Temporary Path (Endpoint): The ransomware registers the extracted driver as a kernel-mode service with autostart capability. Service creation events (Event ID 7045) referencing driver paths in temp directories indicate BYOVD staging activity.
  • UAC Bypass via COM Handler Registry Hijack (Endpoint): VEN0m creates registry keys under HKCU\Software\Classes\Launcher.SystemSettings\Shell\Open\Command with a DelegateExecute value, then triggers Slui.exe to execute with elevated privileges. Sequential registry writes to this path followed by Slui.exe execution signal active UAC bypass.
  • Security Product File Deletion via Vulnerable Driver (Endpoint): After loading the vulnerable driver, VEN0m sends IOCTL commands (0x8016E000) to forcefully delete files within Kaspersky, BitDefender, and Windows Defender installation directories. Detection requires monitoring for security product process crashes or file integrity changes in AV installation paths.
  • Rapid File Encryption with .vnm Extension (Endpoint): VEN0m enumerates files matching target extensions (pdf, doc, png, jpg, txt, mp4) across drives C:\ through F:\ and encrypts each with AES-256-GCM, appending a .vnm extension. Mass file rename operations with a consistent new extension within short timeframes indicate active ransomware encryption.
  • Winlogon Userinit Registry Persistence (Endpoint): The ransomware modifies the Userinit value under HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon to include its payload path alongside the legitimate userinit.exe. Changes to this registry value outside of system updates indicate persistence installation.
  • Scheduled Task Creation for Ransom Note Display (Endpoint): VEN0m creates a scheduled task named MicrosoftUpdate11.01 executing every 2 minutes at the highest privilege level, dropping and repeatedly launching a ransom note executable (@VEN0m@.exe) on the Desktop. High-frequency scheduled tasks with elevated privileges warrant immediate investigation.
  • Desktop Wallpaper Modification via System API (Endpoint): The ransomware replaces the desktop wallpaper using SystemParametersInfoW to display ransom imagery extracted from embedded assets. Programmatic wallpaper changes outside of user preference settings or group policy indicate potential ransomware activity.

MITRE Enterprise ATT&CK Tactics and Techniques

VEN0m's methodology aligns with MITRE ATT&CK Enterprise tactics across the kill chain:

Controls' Observables

Endpoint Controls

Endpoint detection and response platforms with process and file system visibility can identify VEN0m through multiple behavioral signatures:

  • Driver File Creation in Temporary Directories: Monitor for .sys file creation (Sysmon Event 11) in %TEMP% or %TMP% directories by non-installer parent processes. VEN0m writes the vulnerable driver as MicrosoftUpdate11.01.sys to the temp directory before service registration. (Related MITRE Techniques: T1068, T1543.003 | Detection Difficulty: LOW)
  • Kernel-Mode Service Registration from Non-Standard Paths: Alert on Windows service creation events (Event ID 7045) with ServiceType "kernel mode driver" referencing binary paths in temporary directories or user-writable locations rather than System32\drivers. (Related MITRE Techniques: T1543.003 | Detection Difficulty: LOW)
  • Launcher.SystemSettings COM Handler Modification: Detect registry writes (Sysmon Events 12/13) to HKCU\Software\Classes\Launcher.SystemSettings\Shell\Open\Command with DelegateExecute values. This registry path is not modified during normal Windows operation. (Related MITRE Techniques: T1548.002 | Detection Difficulty: LOW)
  • Winlogon Userinit Value Modification: Alert on changes to the Userinit value under HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon that append additional executable paths beyond the default userinit.exe. (Related MITRE Techniques: T1547.004 | Detection Difficulty: LOW)
  • Mass File Rename with Consistent Extension: Detect high-volume file rename operations (Sysmon Event 11 or EDR file telemetry) appending the same extension (.vnm) across multiple directories within a short timeframe. Threshold-based alerting on file modification velocity provides reliable ransomware detection. (Related MITRE Techniques: T1486 | Detection Difficulty: MEDIUM)
  • Security Product Binary Deletion or Corruption: Monitor file integrity in AV/EDR installation directories (Program Files paths for Kaspersky, BitDefender, Windows Defender). Unexpected deletion of .exe, .dll, or .sys files in these paths indicates active defense impairment. (Related MITRE Techniques: T1562.001 | Detection Difficulty: MEDIUM)
  • High-Frequency Scheduled Task with Elevated Privileges: Alert on schtasks.exe creating tasks with /SC MINUTE intervals and /RL HIGHEST privilege, particularly when the target executable resides on the Desktop or in user-writable directories. (Related MITRE Techniques: T1053.005 | Detection Difficulty: LOW)

Identity & Access Controls

Identity and privilege monitoring can detect VEN0m's elevation and persistence techniques:

  • UAC Elevation via Slui.exe Without User Interaction: Correlate UAC elevation events (Event ID 4672) with Slui.exe process creation (Event ID 4688) where no interactive consent dialog was displayed. Legitimate Slui.exe elevation occurs during manual Windows activation, not during normal operations. (Related MITRE Techniques: T1548.002 | Detection Difficulty: MEDIUM)
  • Service Account Privilege Assignment for Driver Loading: Monitor for new service creation (Event ID 7045) running as SYSTEM that loads kernel drivers from non-standard paths. Kernel driver services should originate from trusted System32\drivers locations. (Related MITRE Techniques: T1543.003 | Detection Difficulty: LOW)

Insights and Recommendation

Organizations compromised by VEN0m face immediate and complete loss of access to user files across multiple drives, compounded by the deliberate destruction of endpoint security tools that would otherwise provide detection and forensic telemetry. The ransomware's multiple persistence mechanisms (Winlogon registry modification, scheduled tasks, kernel driver service) ensure it survives reboots, while the BYOVD technique removes the security tooling needed for investigation. The use of AES-256-GCM authenticated encryption makes file recovery without the original key computationally infeasible.

Security teams should implement driver load monitoring through Sysmon Event 6 and deploy Windows Defender Application Control (WDAC) driver blocklists to prevent known vulnerable drivers from loading. Monitoring for registry modifications to the Winlogon Userinit value (T1547.004) and the Launcher.SystemSettings COM handler (T1548.002) provides low-noise, high-fidelity detection of VEN0m's persistence and elevation techniques. Application allowlisting that restricts execution from temp directories and user-writable paths blocks the ransomware's driver staging and payload deployment. Offline backup verification and recovery testing remain the most reliable defense against the encryption impact.

Source and Credits

This summary is based on analysis of the VEN0m Ransomware source code and documentation published on GitHub by xM0kht4r in February 2026. The tool exploits CVE-2025-26125 in the IObit Malware Fighter driver (IMFForceDelete.sys v12.1.0).

Threat Hunting IOCs & Queries

Known Indicators of Compromise

  • Registry Keys:
    • UAC Bypass: HKCU\Software\Classes\Launcher.SystemSettings\Shell\Open\Command (DelegateExecute value)
    • Persistence: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon (Userinit value modified)
  • File Paths:
    • Driver: %TEMP%\MicrosoftUpdate11.01.sys
    • Persistence payload: %LOCALAPPDATA%\MicrosoftUpdate11.03.exe
    • Wallpaper: %TEMP%\MicrosoftUpdate11.03.jpg
    • Ransom note: %USERPROFILE%\Desktop\@VEN0m@.exe
  • Service and Task Artifacts:
    • Kernel service name: MicrosoftUpdate11.01
    • Scheduled task name: MicrosoftUpdate11.01
    • Device name: \\.\IMFForceDelete123
  • Encryption Indicators:
    • Encrypted file extension: .vnm
    • Target extensions: pdf, doc, xlms, png, jpg, jpeg, txt, mp4
    • Target drives: C:\, D:\, E:\, F:\
    • Excluded directories: Windows, Program Files, Program Files (x86), ProgramData, $Recycle.Bin, All Users
  • Vulnerable Driver:
    • Driver: IMFForceDelete.sys (IObit Malware Fighter v12.1.0)
    • CVE: CVE-2025-26125
    • IOCTL code: 0x8016E000

Note: VEN0m is an open-source tool. Threat actors deploying it can modify the encryption key, file extension, service names, file paths, and target extensions. Use behavioral queries for persistent detection rather than relying solely on these static indicators.

Query 1: Suspicious Driver File Creation and Kernel Service Installation

Behavior Targeted: Detects creation of .sys driver files in temporary directories followed by kernel-mode service registration, the staging pattern VEN0m uses to load the vulnerable IMFForceDelete.sys driver for privileged file deletion operations.
MITRE ATT&CK: T1543.003, T1068
Expected Results: Events showing .sys file creation in %TEMP% or other user-writable directories, combined with kernel-mode service creation events referencing those paths. True positives show non-installer processes writing driver files to temp directories with subsequent service registration.
False Positive Likelihood: LOW - Legitimate driver installations use vendor installers that write to System32\drivers, not temp directories. Hardware driver updates via Windows Update also follow standard installation paths.
Tuning Guidance: Allowlist known driver update utilities (e.g., manufacturer-specific update tools) if they temporarily stage drivers in temp directories. Focus investigation on kernel services with ImagePath values pointing to temp, user profile, or download directories.

Splunk SPL Query

index=windows sourcetype="WinEventLog:System" EventCode=7045
    earliest=-7d
    | where match(ImagePath, "(?i)\\\\(temp|tmp|appdata|downloads)\\\\")
    | where match(ServiceType, "(?i)kernel")
    | eval SuspiciousName=if(match(ServiceName, "(?i)(microsoftupdate|windowsupdate\d|svchost\d)"), "HIGH", "MEDIUM")
    | stats count, values(ImagePath) as DriverPaths, values(ServiceType) as ServiceTypes,
        earliest(_time) as FirstSeen, latest(_time) as LastSeen
        by ComputerName, ServiceName, SuspiciousName
    | eval FirstSeen=strftime(FirstSeen, "%Y-%m-%d %H:%M:%S"),
           LastSeen=strftime(LastSeen, "%Y-%m-%d %H:%M:%S")
    | table FirstSeen, LastSeen, ComputerName, ServiceName, DriverPaths, ServiceTypes, SuspiciousName, count
    | sort - SuspiciousName

// TUNING: Adjust path matching to include additional user-writable directories specific to your environment
// TUNING: Add known legitimate driver update services to an allowlist
// FALSE POSITIVES: Third-party driver update utilities that stage files in temp before installation

Microsoft KQL Query (Defender/Sentinel)

Event
| where TimeGenerated > ago(7d)
| where EventLog == "System" and EventID == 7045
| extend ServiceName = extract(@"Service Name:\s+(.+?)(?:\r|\n)", 1, RenderedDescription)
| extend ImagePath = extract(@"Service File Name:\s+(.+?)(?:\r|\n)", 1, RenderedDescription)
| extend ServiceType = extract(@"Service Type:\s+(.+?)(?:\r|\n)", 1, RenderedDescription)
| where ServiceType has "kernel"
| where ImagePath matches regex @"(?i)\\(temp|tmp|appdata|downloads)\\"
| extend SuspiciousName = iff(ServiceName matches regex @"(?i)(microsoftupdate|windowsupdate\d|svchost\d)", "HIGH", "MEDIUM")
| project TimeGenerated, Computer, ServiceName, ImagePath, ServiceType, SuspiciousName
| order by TimeGenerated desc

// TUNING: Extend path regex to cover additional user-writable directories in your environment
// TUNING: Allowlist verified driver update services by ServiceName
// FALSE POSITIVES: Hardware vendor driver installation utilities

Note: These queries were generated with AI assistance. Test thoroughly in your environment before production use.

Query 2: UAC Bypass via Slui.exe COM Handler Hijack

Behavior Targeted: Detects registry modifications to the Launcher.SystemSettings COM handler key, the technique VEN0m uses to redirect Slui.exe auto-elevation to execute the ransomware payload with administrative privileges without displaying a UAC consent dialog.
MITRE ATT&CK: T1548.002
Expected Results: Registry write events creating or modifying keys under HKCU\Software\Classes\Launcher.SystemSettings\Shell\Open\Command, particularly with a DelegateExecute value. Legitimate software does not modify this registry path.
False Positive Likelihood: LOW - This specific registry path is not modified during normal Windows operation, software installation, or system administration. Any write to this key is highly suspicious.
Tuning Guidance: This detection requires minimal tuning due to the specificity of the registry path. Treat any alert from this query as high-priority investigation. Correlate with subsequent Slui.exe process creation events to confirm active exploitation.

Splunk SPL Query

index=windows sourcetype="WinEventLog:Microsoft-Windows-Sysmon/Operational"
    (EventCode=12 OR EventCode=13 OR EventCode=14)
    earliest=-7d
    "Launcher.SystemSettings"
    | search TargetObject="*Shell\\Open\\Command*"
    | rex field=Image "(?<ProcessName>[^\\\\]+)$"
    | stats count, values(Details) as RegistryValues, values(Image) as ProcessPaths,
        values(EventCode) as EventCodes, earliest(_time) as FirstSeen
        by Computer, User, TargetObject
    | eval FirstSeen=strftime(FirstSeen, "%Y-%m-%d %H:%M:%S")
    | table FirstSeen, Computer, User, TargetObject, RegistryValues, ProcessPaths, EventCodes, count
    | sort - FirstSeen

// TUNING: No tuning typically required - this registry path is not legitimately modified
// RECOMMEND: Correlate with Slui.exe process creation (EventCode=1) within 60 seconds of registry modification
// FALSE POSITIVES: None expected - any modification to this key warrants immediate investigation

Microsoft KQL Query (Defender/Sentinel)

DeviceRegistryEvents
| where TimeGenerated > ago(7d)
| where RegistryKey has "Launcher.SystemSettings"
| where RegistryKey has @"Shell\Open\Command"
| project TimeGenerated, DeviceName, ActionType, RegistryKey, RegistryValueName,
          RegistryValueData, InitiatingProcessFileName, InitiatingProcessCommandLine,
          InitiatingProcessAccountName
| order by TimeGenerated desc

// TUNING: No tuning typically required - this is a high-fidelity, low-noise detection
// RECOMMEND: Join with DeviceProcessEvents to identify subsequent Slui.exe execution
// FALSE POSITIVES: None expected in normal Windows operation

Note: These queries were generated with AI assistance. Test thoroughly in your environment before production use.

Query 3: Winlogon Userinit Persistence Modification

Behavior Targeted: Detects modifications to the Winlogon Userinit registry value, VEN0m's primary persistence mechanism. The ransomware appends its payload path to the legitimate userinit.exe entry, ensuring execution at every user logon. This technique survives reboots and user password changes.
MITRE ATT&CK: T1547.004
Expected Results: Registry modification events showing changes to the Userinit value under HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon where the new value contains additional executable paths beyond the default C:\Windows\system32\userinit.exe,.
False Positive Likelihood: LOW - The Userinit value is rarely modified outside of malware activity. Legitimate changes occur only during major Windows updates or specific enterprise software deployments that require logon scripts.
Tuning Guidance: Establish a baseline of the expected Userinit value for your environment. Alert on any deviation from the baseline. In enterprise environments with logon script requirements, allowlist specific authorized executable paths but investigate any unexpected additions.

Splunk SPL Query

index=windows sourcetype="WinEventLog:Microsoft-Windows-Sysmon/Operational"
    (EventCode=12 OR EventCode=13 OR EventCode=14)
    earliest=-7d
    "Winlogon" "Userinit"
    | search TargetObject="*CurrentVersion\\Winlogon*"
    | rex field=Details "(?<NewValue>.*)"
    | where NOT match(Details, "^C:\\\\Windows\\\\system32\\\\userinit\.exe,\s*$")
    | rex field=Image "(?<ProcessName>[^\\\\]+)$"
    | stats count, values(Details) as NewValues, values(Image) as ProcessPaths,
        earliest(_time) as FirstSeen
        by Computer, User, TargetObject
    | eval FirstSeen=strftime(FirstSeen, "%Y-%m-%d %H:%M:%S")
    | table FirstSeen, Computer, User, TargetObject, NewValues, ProcessPaths, count
    | sort - FirstSeen

// TUNING: Adjust the default Userinit regex to match your environment's expected baseline value
// TUNING: Allowlist specific enterprise logon script paths if deployed via Userinit
// FALSE POSITIVES: Enterprise logon script configurations, major Windows feature updates

Microsoft KQL Query (Defender/Sentinel)

DeviceRegistryEvents
| where TimeGenerated > ago(7d)
| where RegistryKey has @"CurrentVersion\Winlogon"
| where RegistryValueName =~ "Userinit"
| where ActionType in ("RegistryValueSet", "SetValue")
| where RegistryValueData !endswith @"system32\userinit.exe,"
    and RegistryValueData !endswith @"system32\userinit.exe"
| project TimeGenerated, DeviceName, ActionType, RegistryKey, RegistryValueName,
          RegistryValueData, InitiatingProcessFileName, InitiatingProcessCommandLine,
          InitiatingProcessAccountName
| order by TimeGenerated desc

// TUNING: Adjust the Userinit baseline filter to match your enterprise's expected value
// TUNING: Focus on InitiatingProcessFileName - modifications from non-system processes are high priority
// FALSE POSITIVES: Enterprise logon script deployments, Windows feature updates

Note: These queries were generated with AI assistance. Test thoroughly in your environment before production use.

Query 4: Rapid File Encryption with Extension Change

Behavior Targeted: Detects mass file modification patterns consistent with ransomware encryption, specifically the rapid creation of files with the .vnm extension across multiple directories. VEN0m encrypts files using AES-256-GCM and renames them with a .vnm extension, generating a high volume of file operations in a short timeframe.
MITRE ATT&CK: T1486
Expected Results: Processes generating a high count of file rename or creation events with .vnm extensions (or other consistent non-standard extensions) across multiple directory paths within a short window. True positives show a single process responsible for hundreds of file operations spanning multiple directories.
False Positive Likelihood: LOW - Mass file rename operations with a single consistent extension across multiple directories is a strong ransomware indicator. Legitimate batch file operations (backup software, media conversion) typically target a single directory and use known extensions.
Tuning Guidance: Adjust the file count threshold based on environment size. The default threshold of 50 files in 10 minutes catches aggressive encryption while allowing normal file operations. For environments with heavy batch file processing, increase the threshold or add directory-based allowlists. The .vnm extension is specific to VEN0m; generalize the query by alerting on any process creating files with a single unusual extension at high volume.

Splunk SPL Query

index=windows sourcetype="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=11
    earliest=-1h
    "*.vnm"
    | rex field=TargetFilename "(?<FileExtension>\.[^.\\]+)$"
    | where FileExtension=".vnm"
    | rex field=TargetFilename "^(?<DirectoryPath>.*\\\\)[^\\\\]+$"
    | stats count,
        dc(DirectoryPath) as UniqueDirectories,
        values(DirectoryPath) as AffectedPaths,
        earliest(_time) as FirstSeen,
        latest(_time) as LastSeen
        by Computer, Image
    | eval TimeSpan=LastSeen - FirstSeen
    | where count > 50 AND UniqueDirectories > 3
    | eval FirstSeen=strftime(FirstSeen, "%Y-%m-%d %H:%M:%S"),
           LastSeen=strftime(LastSeen, "%Y-%m-%d %H:%M:%S"),
           TimeSpan=tostring(TimeSpan, "duration")
    | table FirstSeen, LastSeen, Computer, Image, count, UniqueDirectories, TimeSpan, AffectedPaths
    | sort - count

// TUNING: Adjust count threshold (>50) and UniqueDirectories (>3) based on environment
// TUNING: Replace ".vnm" with a wildcard pattern to detect ransomware variants using different extensions
// TUNING: For generic ransomware detection, alert on any process creating 50+ files with the same unusual extension
// FALSE POSITIVES: Backup software, batch media conversion tools, legitimate file migration utilities

Microsoft KQL Query (Defender/Sentinel)

DeviceFileEvents
| where TimeGenerated > ago(1h)
| where ActionType in ("FileRenamed", "FileCreated")
| where FileName endswith ".vnm"
| extend DirectoryPath = tostring(split(FolderPath, "\\", -1)[0])
| summarize FileCount = count(),
            UniqueDirectories = dcount(FolderPath),
            AffectedPaths = make_set(FolderPath, 10),
            FirstSeen = min(TimeGenerated),
            LastSeen = max(TimeGenerated)
    by DeviceName, InitiatingProcessFileName
| where FileCount > 50 and UniqueDirectories > 3
| extend TimeSpanSeconds = datetime_diff('second', LastSeen, FirstSeen)
| project FirstSeen, LastSeen, DeviceName, InitiatingProcessFileName, FileCount,
          UniqueDirectories, TimeSpanSeconds, AffectedPaths
| order by FileCount desc

// TUNING: Adjust FileCount (>50) and UniqueDirectories (>3) based on normal file operations
// TUNING: Replace ".vnm" filter with a dynamic extension analysis for generic ransomware detection
// TUNING: Lower thresholds for high-value file servers; raise for development workstations
// FALSE POSITIVES: Batch file processing tools, automated backup or archival systems

Note: These queries were generated with AI assistance. Test thoroughly in your environment before production use.

Back to Hunting off the Red