Red Hot Cyber
Cybersecurity is about sharing. Recognize the risk, combat it, share your experiences, and encourage others to do better than you.
Redazione RHC : 11 December 2025 12:44
Cisco Talos has identified a new ransomware campaign called DeadLock : attackers are exploiting a vulnerable Baidu antivirus driver (CVE-2024-51324) to disable EDR systems using the Bring Your Own Vulnerable Driver (BYOVD) technique. The group does not operate a data leak site but communicates with victims via Session Messenger.
According to Talos, the attacks are carried out by a financially motivated operator who gains access to the victim’s infrastructure at least five days before encryption and gradually prepares the system for DeadLock implementation.
One of the key elements of the chain is BYOVD : the attackers themselves inject a legitimate but vulnerable Baidu Antivirus driver, BdApiUtil.sys , disguised as DriverGay.sys, and its own loader, EDRGay.exe, into the system. The loader initializes the driver in user mode, establishes a connection to it via CreateFile() , and begins enumerating processes for antivirus and EDR solutions.
Next, the CVE-2024-51324 vulnerability, a privilege management error in the driver, is exploited. The loader sends a special DeviceIOControl() command to the driver with IOCTL code 0x800024b4 and the PID of the target process.
From the kernel side, the driver interprets this as a process termination request, but due to the vulnerability, it doesn’t check the privileges of the calling program. Running with kernel privileges, the driver simply calls ZwTerminateProcess() and immediately “terminates” the security service, opening the door to further attackers.
Before launching the ransomware, the operator runs a preparatory PowerShell script on the victim’s computer. First, it checks the current user’s privileges and, if necessary, reboots with administrative privileges via RunAs , bypassing UAC and relaxing standard PowerShell restrictions.
After gaining administrator privileges, the script disables Windows Defender and other security tools , stops and disables backup services, databases, and other software that could interfere with encryption. It also deletes all shadow volume copy snapshots, depriving the victim of standard recovery tools, and finally self-destructs, complicating forensic analysis.
The script also includes a detailed list of exceptions for system-critical services. These include network services ( WinRM, DNS, DHCP ), authentication mechanisms ( KDC, Netlogon, LSM ), and core Windows components ( RPCSS, Plug and Play, System Event Log ).
This allows attackers to disable as many security and application components as possible without crashing the entire system, allowing the victim to read the note, contact the ransomware, and pay.
Talos noted that some sections of the script related to deleting network shares and alternative methods for stopping processes were commented out, indicating that the authors intended them to be “options” for specific purposes. The script dynamically loads some exceptions from an external run[.]txt file.
Telemetry indicates that the attackers are accessing the victim’s network using compromised legitimate accounts. After initial access, they configure persistent remote access: using the reg add command, they modify the fDenyTSConnections registry value to enable RDP. Then, using netsh advfirewall, they create a rule that opens port 3389, set the RemoteRegistry service to on-demand mode, and start it, enabling remote registry management.
The day before the encryption, the operator installs a new instance of AnyDesk on one of the machines , despite the fact that other installations of the software are already present in the infrastructure, making this distribution suspicious.
AnyDesk is deployed silently, with Windows boot enabled, a silent logon password configured, and updates disabled that could interrupt attackers’ sessions. Next, active reconnaissance and network movement begins: nltest is used to find domain controllers and the domain structure, net localgroup/domain to enumerate privileged groups, ping and quser to check availability and active users, and finally mstsc and mmc compmgmt.msc to connect to other hosts via RDP or the Remote Desktop Management snap-in.
Potential access to internal web resources is detected by launching iexplore.exe with internal IP addresses.
Redazione