A new set of tactics linked to a financially motivated threat actor deploying DeadLock ransomware has been observed by cybersecurity researchers.
Detailed in the latest analysis from Cisco Talos, published today, the campaign used a Bring Your Own Vulnerable Driver (BYOVD) technique to disable endpoint detection tools and pave the way for full system compromise.
The actor combined privilege-escalation scripts, registry modifications, remote access tools (RATs) and a custom encryption routine to disrupt business operations while preserving system stability.
BYOVD Attack Enables Security Bypass
Talos reported that the attacker exploited a flaw in a Baidu Antivirus driver, tracked as CVE-2024-51324, to terminate security processes.
A custom loader initiated the vulnerable driver, located targeted endpoint detection services then issued kernel-level commands to kill them. After this, a PowerShell script escalated privileges, shut down security and backup services, and erased all shadow copies to remove recovery paths.
The actor also deployed several reconnaissance and lateral movement commands, enabling remote access through Remote Desktop Protocol (RDP) connections and a stealthy AnyDesk installation.
Read more on RATs: How Forgotten Remote Access Tools Are Putting Organizations at Risk
According to Talos, the DeadLock payload was compiled in July 2025 and written in C++. Once executed, it dropped an embedded batch script to set up the environment, then injected itself into rundll32.exe via process hollowing.
Its configuration data stretched 8888 bytes and outlined timing parameters, exclusion lists, service and process kill lists, and a ransom note.
Notably, the ransomware used a custom stream cipher to encrypt files. It generated time-based keys, processed file contents in memory and appended “.dlock” to encrypted files. Additionally, it waited roughly 50 seconds to evade sandbox detection before launching encryption.
System Impact and Security Advice
The DeadLock infection targeted a broad range of applications and services, including databases, backup software and endpoint protection suites. At the same time, it avoided core Windows directories and critical system files so the machine would remain functional for ransom negotiations.
Talos found that the ransomware also replaced icons for encrypted files, altered wallpaper and disabled command-line tools.
“The ransom note also describes the acceptance of ransom payment in Bitcoin or Monero and indicates warnings against file renaming or third-party decryption attempts,” wrote Talos.
Victims received a detailed ransom note promising “military-grade encryption,” outlining a six-step recovery process and offering payment via Bitcoin or Monero. Communication occurred exclusively through Session Messenger.
“Session [was] their primary communication platform, leveraging its end-to-end encryption [E2EE] and anonymity features to evade law enforcement surveillance while maintaining victim contact through the session ID,” Cisco Talos explained.
To defend against similar threats, security experts recommend maintaining strong endpoint protection, enforcing multi-factor authentication (MFA) and keeping regular offline backups.
