DeadLock Ransomware Evades Security with BYOVD Attack
▼ Summary
– Cybersecurity researchers observed a new campaign by the DeadLock ransomware group using a BYOVD technique to disable endpoint security tools.
– The attack exploited a vulnerability (CVE-2024-51324) in a Baidu Antivirus driver to kill security processes, then used scripts to escalate privileges and erase recovery options.
– The ransomware, written in C++, used a custom stream cipher for encryption, appended “.dlock” to files, and employed evasion tactics like a 50-second delay.
– The attack deliberately avoided critical system files to keep machines functional and communicated ransom demands exclusively via the encrypted Session Messenger.
– Security recommendations to defend against such threats include strong endpoint protection, multi-factor authentication, and maintaining regular offline backups.
Cybersecurity experts have identified a sophisticated new campaign deploying DeadLock ransomware, which employs a dangerous Bring Your Own Vulnerable Driver (BYOVD) technique to neutralize security software. This financially motivated attack chain, detailed in a recent analysis, combines privilege escalation, remote access tools, and a custom encryption routine to cripple business operations while carefully keeping systems running for ransom negotiations.
The attack hinges on exploiting a known vulnerability, CVE-2024-51324, found in a Baidu Antivirus driver. A custom loader activates this vulnerable driver, which then executes kernel-level commands to terminate critical endpoint detection and response (EDR) services. With defenses disabled, a PowerShell script takes over to escalate privileges, stop security and backup services, and delete all volume shadow copies to eliminate recovery options. The threat actor further establishes persistence and control by enabling Remote Desktop Protocol (RDP) and installing AnyDesk software covertly for remote access.
The DeadLock ransomware payload itself, compiled in July 2025 and written in C++, uses a process hollowing technique to inject itself into the legitimate rundll32.exe process. Its extensive configuration data dictates its behavior, including timing parameters, lists of services and processes to terminate, file exclusions, and the ransom note content. A notable feature is its use of a custom stream cipher for encryption, generating time-based keys and processing file data in memory before appending the “.dlock” extension. The malware also incorporates a delay of about 50 seconds before beginning encryption, a simple but effective tactic to avoid automated sandbox analysis.
This ransomware is designed for maximum disruption with calculated restraint. It aggressively targets a wide array of business-critical applications like databases, backup solutions, and security software. Simultaneously, it deliberately avoids encrypting core Windows system files and directories, ensuring the compromised machine remains operational, a strategic move to facilitate communication and payment. The attack also leaves visible marks by changing desktop wallpapers, replacing file icons, and disabling command-line utilities.
Communication with victims occurs exclusively through the Session Messenger platform, leveraging its end-to-end encryption and anonymity features. The ransom note, delivered after encryption, boasts of “military-grade encryption” and provides a six-step recovery guide. It specifies that payments can be made in Bitcoin or Monero and sternly warns victims against renaming files or attempting third-party decryption.
To guard against such evolving threats, a proactive, layered defense strategy is essential. Organizations must prioritize maintaining robust, updated endpoint protection that can detect and block driver-based attacks. Enforcing multi-factor authentication (MFA) across all remote access points and critical systems adds a vital barrier against unauthorized entry. Perhaps most critically, maintaining regular, tested, and isolated offline backups remains the most reliable safety net, ensuring business continuity even if primary systems are encrypted.
(Source: InfoSecurity Magazine)
