The DeadLock ransomware group has introduced a new loader leveraging the Bring Your Own Vulnerable Driver (BYOVD) technique by exploiting CVE-2024-51324, a vulnerability in the Baidu Antivirus driver. BYOVD allows attackers to load a vulnerable, signed driver to terminate endpoint detection and response (EDR) processes, effectively bypassing security controls. The attack chain begins with initial access through compromised credentials, followed by system registry changes and establishing remote access. The attackers conduct reconnaissance and lateral movement within the network to maximize impact. A PowerShell script is used to bypass User Account Control (UAC), disable Windows Defender, terminate security services, and delete volume shadow copies, preventing recovery. DeadLock ransomware encrypts files on Windows machines using a custom stream cipher with time-dependent cryptographic keys, employing recursive directory traversal to locate files, memory-mapped file I/O for efficient encryption, and multi-threaded processing to speed up the attack. Despite the absence of known exploits in the wild, the exploitation of a signed vulnerable driver for EDR evasion is a sophisticated technique that increases the likelihood of successful attacks. The ransomware’s multi-faceted approach to defense evasion and encryption makes it a formidable threat to Windows environments, especially those with unpatched Baidu Antivirus drivers or similar vulnerable components.

European organizations face significant risks from this threat due to the potential for complete data encryption and operational disruption. The use of BYOVD to disable endpoint security tools undermines traditional detection and prevention mechanisms, increasing the likelihood of successful infection and lateral movement. The deletion of volume shadow copies and disabling of security services complicate recovery efforts, potentially leading to extended downtime and data loss. Critical infrastructure, healthcare, finance, and manufacturing sectors in Europe, which often rely on Windows environments, could experience severe operational and financial impacts. The threat actor’s ability to bypass UAC and disable defenses without user interaction increases the risk of stealthy compromise. Additionally, the reliance on compromised accounts for initial access highlights the importance of credential security. The ransomware’s sophisticated encryption method may evade some detection tools, prolonging incident response and recovery. Overall, the impact includes confidentiality loss, integrity compromise, and availability disruption, with potential cascading effects on supply chains and service delivery.

European organizations should prioritize patching or mitigating CVE-2024-51324 by updating or removing vulnerable Baidu Antivirus drivers and similar third-party drivers. Implement strict application whitelisting and driver load policies to prevent unauthorized or vulnerable drivers from loading. Enhance monitoring for unusual driver loads and PowerShell activity, especially scripts attempting to bypass UAC or disable security services. Employ multi-factor authentication (MFA) to reduce risks from compromised accounts used for initial access. Regularly back up critical data with offline or immutable backups to mitigate ransomware impact, ensuring backups are isolated from the network. Deploy advanced endpoint detection solutions capable of detecting BYOVD techniques and monitor for deletion of volume shadow copies. Conduct regular threat hunting and network segmentation to limit lateral movement. Educate users on phishing and credential security to reduce initial compromise risk. Finally, develop and test incident response plans specifically addressing ransomware scenarios involving driver exploitation and defense evasion.