Emerging DeadLock Ransomware Variant Employs BYOVD to Bypass EDR
The group was observed employing the Bring Your Own Vulnerable Driver (BYOVD) method through a vulnerable Baidu Antivirus driver (CVE-2024-51324) to terminate endpoint detection and response (EDR) processes and execute the ransomware payload undetected.
The attackers used a previously unknown loader, EDRGay.exe, which dropped the legitimate but vulnerable driver BdApiUtil.sys, disguised as DriverGay.sys, into the victim’s Videos directory.
This driver contains an Improper Privilege Management flaw that allows unprivileged users to terminate any system process at the kernel level.
By initializing the driver via the Windows CreateFile() API and exploiting the IOCTL 0x800024b4 command structure, the loader leveraged the vulnerability to terminate AV and EDR processes using the ZwTerminateProcess() system call.
This exploit effectively dismantled active endpoint protections before ransomware deployment, aligning with MITRE ATT&CK technique T1211 – Exploitation for Defense Evasion.
Following this, the actor executed a PowerShell script to escalate privileges, bypass User Account Control (T1548.002), and disable Windows Defender.
The script also deleted shadow copies to inhibit recovery (T1490 – Inhibit System Recovery) and modified startup configurations of critical services to ensure persistence after system restart.
After turning off system defenses, the attackers deployed the DeadLock ransomware payload, written in C++ and compiled in mid-2025.
The encryptor employs a custom stream cipher algorithm based on time-derived cryptographic seeds to lock files efficiently while preserving system stability for ransom payment operations. Encrypted files have the extension “.dlock” and a unique hexadecimal identifier.
The ransomware terminates processes linked to security tools, remote access utilities, databases, and backup software, including Veeam, Acronis, Veritas, and SQL Server, while excluding essential Windows services to maintain system operability.
Telemetry revealed that the attackers gained initial access via compromised valid accounts (T1078), then enabled RDP connections (T1021.001) and installed AnyDesk for persistent access (T1219.002).
The attackers also manipulated Windows Defender settings via SystemSettingsAdminFlows.exe, turning off real-time protection and cloud submission.
Unlike traditional ransomware groups, the DeadLock operators do not maintain a leak site. Instead, victims are instructed to communicate via the Session messenger, which uses end-to-end encryption for secure negotiations.
Cisco Talos advises organizations to update defenses against BYOVD exploits, patch vulnerable drivers, enable multi-factor authentication, and monitor abnormal PowerShell or remote access activity.
Detection rules for DeadLock are available in Snort (SIDs 65576, 65575, 301358) and in ClamAV signatures listed in the Cisco Talos GitHub IOC repository.
Find this Story Interesting! Follow us on Google News , LinkedIn and X to Get More Instant Updates
The post Emerging DeadLock Ransomware Variant Employs BYOVD to Bypass EDR appeared first on Cyber Security News.
Critical vulnerabilities in Anthropic’s Claude Code, an AI-powered command-line development tool. The flaws could allow…
A major data breach has hit Odido, one of the Netherlands’ prominent telecommunications providers, with…
Parents, alumni, students and community members packed the Quakertown Community School District school board meeting…
Before the hearing ended in theater, Lisa Beaudoin had been urging lawmakers to withhold their…
New Hampshire energy stakeholders are questioning the experience and potential conflicts of interest of Christopher…
A man was seriously injured Tuesday after a truck collided with his snowmobile in Bradford,…
This website uses cookies.