Context:
While tracking ransomware activities, Cisco Talos uncovered new tactics, techniques, and procedures (TTPs) linked to a financially motivated threat actor targeting victims with DeadLock ransomware.
The actor used the Bring Your Own Vulnerable Driver (BYOVD) technique with a previously unknown loader to exploit the Baidu Antivirus driver vulnerability (CVE-2024-51324), enabling the termination of endpoint detection and response (EDR) processes.
The actor ran a PowerShell script that bypasses User Account Control (UAC), disables Windows Defender, terminates various security, backup, and database services, and deletes all volume shadow copies to prevent system recovery.
The DeadLock ransomware targets Windows machines with a custom stream cipher encryption algorithm that uses time-based cryptographic keys to encrypt files.
This custom encryption method allows DeadLock ransomware to effectively encrypt different file types in enterprise environments while preventing system corruption through selective targeting and anti-forensics techniques, which complicate recovery.
Mitre ATT&CK Mapping
References
https://blog.talosintelligence.com/byovd-loader-deadlock-ransomware/
Context:
While tracking ransomware activities, Cisco Talos uncovered new tactics, techniques, and procedures (TTPs) linked to a financially motivated threat actor targeting victims with DeadLock ransomware.
The actor used the Bring Your Own Vulnerable Driver (BYOVD) technique with a previously unknown loader to exploit the Baidu Antivirus driver vulnerability (CVE-2024-51324), enabling the termination of endpoint detection and response (EDR) processes.
The actor ran a PowerShell script that bypasses User Account Control (UAC), disables Windows Defender, terminates various security, backup, and database services, and deletes all volume shadow copies to prevent system recovery.
The DeadLock ransomware targets Windows machines with a custom stream cipher encryption algorithm that uses time-based cryptographic keys to encrypt files.
This custom encryption method allows DeadLock ransomware to effectively encrypt different file types in enterprise environments while preventing system corruption through selective targeting and anti-forensics techniques, which complicate recovery.
Mitre ATT&CK Mapping
References
https://blog.talosintelligence.com/byovd-loader-deadlock-ransomware/