Date: 12/11/2025
Severity: Medium
Summary
A financially motivated threat actor deploying DeadLock ransomware has adopted new tactics, including a previously unknown BYOVD loader that exploits Baidu Antivirus driver vulnerability CVE-2024-51324 to disable EDR protections. The attack chain also uses a PowerShell script to bypass UAC, disable Windows Defender, terminate security and backup services, and delete shadow copies to block recovery. DeadLock ransomware employs a custom stream-cipher encryption method with time-based keys, enabling efficient, selective file encryption while using anti-forensics techniques to avoid system corruption and hinder restoration efforts.
Indicators of Compromise (IOC) List
Hash | 2D89FB7455FF3EBF6B965D8B1113857607F7FBDA4C752CCB591DBC1DC14BA0DA
47EC51B5F0EDE1E70BD66F3F0152F9EB536D534565DBB7FCC3A05F542DBE4428
be1037fac396cf54fb9e25c48e5b0039b3911bb8426cbf52c9433ba06c0685ce
3cd5703d285ed2753434f14f8da933010ecfdc1e5009d0e438188aaf85501612
3c1b9df801b9abbb3684670822f367b5b8cda566b749f457821b6481606995b3
|
Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection
Detection Query 1 : | sha256hash IN ("2D89FB7455FF3EBF6B965D8B1113857607F7FBDA4C752CCB591DBC1DC14BA0DA","47EC51B5F0EDE1E70BD66F3F0152F9EB536D534565DBB7FCC3A05F542DBE4428","3cd5703d285ed2753434f14f8da933010ecfdc1e5009d0e438188aaf85501612","be1037fac396cf54fb9e25c48e5b0039b3911bb8426cbf52c9433ba06c0685ce","3c1b9df801b9abbb3684670822f367b5b8cda566b749f457821b6481606995b3")
|
Reference:
https://blog.talosintelligence.com/byovd-loader-deadlock-ransomware/