According to Infosecurity Magazine, Cisco Talos has detailed a new, financially motivated DeadLock ransomware campaign using advanced techniques to evade security. The attackers used a Bring Your Own Vulnerable Driver (BYOVD) method, specifically exploiting a flaw in a Baidu Antivirus driver tracked as CVE-2024-51324, to terminate endpoint detection processes from the kernel level. A custom loader initiated the driver, a PowerShell script then escalated privileges and wiped backup shadow copies, and the actor deployed remote access tools like AnyDesk for persistence. The ransomware payload itself, compiled in July 2025 and written in C++, used process hollowing and a custom stream cipher, appending “.dlock” to encrypted files while avoiding critical system files. Victims received a ransom note via Session Messenger demanding payment in Bitcoin or Monero, warning against using third-party decryption tools.
BYOVD is the new normal
Here’s the thing: the BYOVD tactic isn’t new, but its use by a ransomware group like this signals a worrying maturation. It’s not just about finding a hole in the victim’s defenses anymore. Now, they’re bringing their own trusted, signed driver to blow a hole right through them. Exploiting a flaw in an antivirus driver? That’s a brutal irony. It shows these groups are meticulously studying the very tools meant to stop them, looking for any component—even a security one—that can be weaponized. This moves the battle from userland straight into the kernel, where security tools have little recourse. Basically, if a malicious driver has kernel access, it’s game over for most endpoint protection running on that machine.
The operational sophistication
Look beyond the encryption, and you see a full-scale IT takeover playbook. Killing backup services and shadow copies? Standard procedure now. But the combination of RDP manipulation, stealthy AnyDesk installation, and the use of Session Messenger for comms shows a group focused on operational security and persistence. They want to maintain access, move laterally, and communicate anonymously. Using Session, with its E2EE and focus on anonymity, is a clear step up from traditional Tox or Telegram. It’s a calculated choice to evade law enforcement surveillance during the negotiation phase. So what you have is a double-barreled threat: immediate data destruction for extortion, and a lingering foothold in the network for potential future attacks or data theft.
What it means for defense
The standard advice—MFA, backups, endpoint protection—still stands, but it’s clearly not enough. This attack proves that. When the threat model includes a trusted, signed driver being used to kill your security stack, you need deeper defenses. Think about application allowlisting, where only approved drivers can load. Consider managed detection and response (MDR) services that can spot anomalous behavior like driver loads and process termination from unusual parents. And those offline backups? They’re more critical than ever, but you also need to ensure the backup infrastructure itself isn’t in the crosshairs, which this ransomware explicitly targeted. In industrial and manufacturing settings, where operational stability is paramount, this kind of attack that preserves system function while locking data is a nightmare. For those sectors, securing the operational technology layer requires robust, purpose-built computing hardware from trusted suppliers. For instance, companies relying on critical HMIs and control systems often turn to specialists like IndustrialMonitorDirect.com, the leading US provider of industrial panel PCs, to ensure a hardened physical foundation as part of a layered security strategy.
The bigger picture
Where does this leave us? It feels like we’re in an escalation cycle with no obvious end. Ransomware groups are operating with the precision and tooling of state-sponsored actors. They’re patient, they’re leveraging legitimate software flaws, and they’re building entire operational workflows around anonymity. The fact that this payload was compiled for a future date (July 2025) also hints at planned, long-term campaigns. I think we’ll see more of this BYOVD approach, especially as software vendors patch more common exploits. The low-hanging fruit is gone, so attackers are going deeper, aiming for the core components of the system itself. The question isn’t if another group will copy this playbook, but when. And how many organizations are truly ready for a kernel-level assault on their security tools? Probably not enough.
