DeadLock Ransomware Deploys BYOVD EDR Killer by Exploiting Baidu Driver for Kernel-Level Defense Bypass
Ddos 
DeadLock’s ransom note file | Image: Cisco Talos
A financially motivated threat group is deploying a new ransomware strain known as “DeadLock,” utilizing advanced “Bring Your Own Vulnerable Driver” (BYOVD) techniques to neutralize endpoint defenses before encrypting networks. A new report from Cisco Talos reveals that the attackers are leveraging a legitimate but vulnerable driver from Baidu Antivirus to terminate security software at the kernel level.
The attack chain is notable for its brazen use of a known vulnerability to bypass modern security controls. The threat actor deploys a loader—named EDRGay.exe—alongside a legitimate driver file, BdApiUtil.sys, which they renamed to DriverGay.sys.
This driver contains a critical flaw (CVE-2024-51324) that allows unprivileged users to execute commands with kernel privileges. As the report explains, “This Improper Privilege Management vulnerability exposes a critical function in the driver program that allows unprivileged users to terminate any process on the system at the kernel level”.
By exploiting this, the attackers can instantly kill Antivirus and Endpoint Detection and Response (EDR) processes that would otherwise block the ransomware.
Once the defenses are down, the attackers run a comprehensive PowerShell script designed to cripple the system’s recovery capabilities. The script bypasses User Account Control (UAC), disables Windows Defender, and aggressively terminates critical services including Veeam, SQL Server, and Sophos.
“The actor ran a PowerShell script that bypasses User Account Control (UAC), disables Windows Defender, terminates various security, backup, and database services, and deletes all volume shadow copies to prevent system recovery”.
To ensure the victim cannot simply restore their data, the script executes commands to “delete all volume shadow copy snapshots, eliminating the victim’s ability to recover the system”.
The ransomware payload itself is a sophisticated C++ binary compiled as recently as July 2025. Unlike many modern ransomware gangs that rely on standard encryption libraries, DeadLock uses a bespoke approach.
“The DeadLock ransomware targets Windows machines with a custom stream cipher encryption algorithm that uses time-based cryptographic keys to encrypt files”. This custom method allows it to move quickly while avoiding detection by tools that look for standard cryptographic signatures.
Interestingly, the group breaks from the current trend of “double extortion.” “Unlike other ransomware actors, this threat actor does not operate a data leak site”. Instead, they direct victims to contact them via the encrypted Session messenger app to negotiate payment in Bitcoin or Monero.
Investigation into the attacks revealed that the actors often dwell in the network for days before striking. They establish persistence by silently installing the remote desktop tool AnyDesk.
“This action was likely taken to establish persistent, remote access,” the report notes, detailing how the attackers used specific command-line arguments to install the software silently and disable updates.
Donate