DeadLock Ransomware Uses BYOVD to Kill EDR and Erase Backups Stealthily
Cisco Talos has uncovered a new DeadLock ransomware campaign in which attackers exploit a vulnerable Baidu Antivirus driver (CVE-2024-51324) to disable EDR systems using the Bring Your Own Vulnerable Driver (BYOVD) technique, dismantle defenses with a PowerShell script, erase backups, and encrypt files on Windows using a proprietary encryption algorithm. Notably, the group operates without a public leak site and communicates with victims exclusively via the Session messenger.
According to Talos, the operation is run by a financially motivated actor that gains access to a victim’s environment at least five days before encryption and methodically prepares the system for DeadLock’s deployment. A cornerstone of the attack chain is BYOVD: the attackers introduce a legitimate yet vulnerable Baidu Antivirus driver, BdApiUtil.sys, disguised as DriverGay.sys, along with a custom loader named EDRGay.exe. Running in user mode, the loader initializes the driver, establishes communication via CreateFile(), and enumerates running processes in search of antivirus and EDR solutions.
The attackers then exploit CVE-2024-51324, a privilege-handling flaw in the driver. The loader issues a crafted DeviceIOControl() request with IOCTL code 0x800024b4 and the PID of the target process. In kernel space, the driver interprets this as a termination request but fails to validate the caller’s privileges. Operating with kernel-level authority, it simply invokes ZwTerminateProcess(), instantly killing the security service and clearing the path for subsequent malicious activity.
Before launching the encryptor, the operator executes a preparatory PowerShell script on the victim’s machine. The script first checks the current user’s privileges and, if necessary, relaunches itself with administrative rights via RunAs, bypassing UAC and weakening standard PowerShell restrictions. With elevated privileges, it disables Windows Defender and other protective mechanisms, stops and disables backup services, databases, and other software that could interfere with encryption. In parallel, it deletes all Volume Shadow Copy snapshots, depriving the victim of standard recovery options, and finally self-destructs to complicate forensic analysis.
The script contains a carefully curated list of exclusions for critical system services, including networking components (WinRM, DNS, DHCP), authentication mechanisms (KDC, Netlogon, LSM), and core Windows services (RPCSS, Plug and Play, Event Log). This allows the attackers to disable as many defensive and application components as possible without crashing the system outright, ensuring the victim can still read the ransom note, contact the extortionists, and pay. Talos observed that certain script sections—such as those related to removing network shares or alternative process-termination methods—were commented out, suggesting optional modules reserved for specific targets. Some exclusions are dynamically loaded from an external file named run[.]txt.
Telemetry indicates that initial access is obtained through compromised legitimate credentials. After entry, the attackers establish persistent remote access: they modify the fDenyTSConnections registry value via reg add to enable RDP, create a firewall rule with netsh advfirewall to open port 3389, and set the RemoteRegistry service to on-demand start before launching it, enabling remote registry manipulation.
One day before encryption, the operator installs a fresh instance of AnyDesk on a host, despite the presence of other AnyDesk installations in the environment—an action that stands out as suspicious. AnyDesk is deployed silently, configured to start with Windows, protected with a password for unattended access, and set with updates disabled to avoid disrupting the attackers’ sessions. Active reconnaissance and lateral movement then follow: nltest is used to identify domain controllers and domain structure; net localgroup /domain enumerates privileged groups; ping and quser check host availability and active users; mstsc and mmc compmgmt.msc facilitate RDP connections and remote management; and possible access to internal web resources is inferred from iexplore.exe launches targeting internal IP addresses.
A dedicated phase focuses on weakening Windows’ built-in protections. Talos recorded the use of the legitimate system binary SystemSettingsAdminFlows.exe to alter Windows Defender settings. The command sequence disables real-time protection, cloud-based features, sample submission, and advanced notifications. Because these changes are made by a trusted Windows utility, they can bypass certain detection rules.
The primary “payload” in the chain is the DeadLock encryptor itself, designed for Windows systems. Written in C++, the binary was compiled in July 2025, aligning with the group’s first appearance on researchers’ radar. Upon execution, DeadLock drops an embedded batch script into the ProgramData directory; the script switches the console code page to UTF-8 via chcp 65001, launches the main encryptor binary, and deletes itself. DeadLock then employs process hollowing, injecting its code into rundll32.exe to masquerade as a legitimate system process.
DeadLock’s behavior is governed by a substantial 8,888-byte configuration block embedded directly within the executable. At startup, the encryptor parses this block using “|” delimiters and loads parameters into memory, including cryptographic seeds, timing values, lists of processes and services to terminate, excluded file extensions and paths, campaign identifiers, ransom note text, HTML markers, and visual assets. The configuration contains a hard-coded 65-character numeric string used as a base encryption key, along with timing values that serve as entropy sources for pseudorandom sequences and execution delays.
The “kill list” targets both standard Windows utilities (Explorer, PowerShell, Task Manager) and high-value applications: remote access tools (AnyDesk, RustDesk, mstsc), cloud storage clients (Dropbox, OneDrive), security components (Antimalware Service, SecurityHealthService, SmartScreen), database services (Microsoft SQL Server, Sybase SQL Anywhere, MySQL), backup solutions (Veeam, Veritas Backup Exec, Acronis, CA Arcserve, Carbonite), antivirus and EDR products (Symantec/Norton, McAfee, 360 Security), and widely used business software such as QuickBooks, Microsoft Exchange, Apache Tomcat, and VMware tools. At the same time, the configuration enforces strict exclusion lists for system directories—Windows, Program Files, ProgramData, System Volume Information—and critical files and extensions, including executables, drivers, bootloaders, and profile configuration files. This maximizes data encryption while preserving OS stability.
The encryption process itself is notably sophisticated. DeadLock recursively traverses the file system, skipping excluded files and directories, and employs a custom stream cipher rather than standard Windows cryptographic APIs. Keystreams are derived from system time via GetSystemTimeAsFileTime, combined with additional mathematical operations to produce 8-byte pseudorandom sequences. Files are processed in 16-byte blocks: content is validated as UTF-8, encrypted in memory using the generated keystream, and then written back to disk. Each encrypted file is renamed with a hexadecimal identifier and the .dlock extension. To evade sandbox analysis, the malware introduces an approximately 50-second delay before initiating active encryption.
In parallel, DeadLock makes conspicuous visual changes. It drops an icon file, a batch script, and a bitmap image into ProgramData, then modifies the DefaultIcon registry key under Software to assign a custom icon to the .dlock extension, branding all encrypted files. The ransomware also replaces the desktop wallpaper with a custom image and disables command-line utilities to hinder manual recovery. A ransom note is placed in every directory containing encrypted files.
The ransom note follows a familiar script: the operators claim to use “military-grade” encryption, outline a six-step recovery process, and warn against independent decryption attempts or file renaming. Payment is demanded in Bitcoin or Monero, and the note’s filename embeds a unique victim identifier in the format READ ME.<hex_identifier>.txt. For communication, the attackers rely on the Session messenger, whose end-to-end encryption and anonymity minimize the risk of operator deanonymization and center negotiations around a unique Session ID.
The combination of BYOVD exploitation, aggressive defense suppression, a bespoke encryption scheme, and the absence of a public leak site underscores DeadLock’s preference for quiet yet technically advanced extortion. For potential victims, this means that up-to-date antivirus software alone is no longer sufficient. It is critical to monitor for vulnerable drivers, scrutinize atypical uses of legitimate Windows utilities, track remote access tool installations such as AnyDesk, and investigate unusual PowerShell activity well before the .dlock extension begins appearing on file servers.
Support Our Threat Intelligence
If you find our technology report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
