BYOVD enhances DeadLock ransomware’s stealth

Infosecurity Magazine reports that the DeadLock ransomware has circumvented endpoint detection tools and facilitated total system compromise through a Bring Your Own Vulnerable Driver technique.

Initial exploitation of a Baidu Antivirus driver issue, tracked as CVE-2024-51324, allowed the disruption of endpoint detection services and the subsequent execution of a PowerShell script that enabled privilege escalation, security and backup system takedowns, and shadow copy removal, according to a Cisco Talos analysis.

Multiple reconnaissance and lateral movement commands were then executed to run the DeadLock payload, which deployed an embedded batch script before self-injecting into rundll32.exe. Numerous apps and services have been targeted by DeadLock ransomware, which performed file encryption using a custom stream cipher, said researchers, who noted that critical Windows directories and system files were skipped by the ransomware in a bid to ensure ransom negotiations.

Multi-factor authentication, robust endpoint defenses, and routine offline backups have been recommended to mitigate the threat posed by DeadLock ransomware.