New BYOVD loader behind DeadLock ransomware attack

Description

A new loader exploiting a Baidu Antivirus driver vulnerability (CVE-2024-51324) has been discovered in connection with DeadLock ransomware attacks. The threat actor uses the Bring Your Own Vulnerable Driver (BYOVD) technique to terminate endpoint detection and response processes. A PowerShell script is employed to bypass User Account Control, disable Windows Defender, terminate security services, and delete volume shadow copies. DeadLock ransomware targets Windows machines using a custom stream cipher encryption algorithm with time-based cryptographic keys. The attack involves initial access through compromised accounts, system registry modifications, remote access establishment, reconnaissance, lateral movement, and defense impairment. The ransomware's sophisticated encryption process includes recursive directory traversal, memory-mapped file I/O, and multi-threaded processing.