Researchers have revealed that a financially motivated threat actor deploying DeadLock ransomware has adopted a sophisticated Bring Your Own Vulnerable Driver (BYOVD) tactic to bypass and disable endpoint detection and response (EDR) mechanisms.
Talos observed a threat actor leveraging a BYOVD technique to disable endpoint detection and escalate privileges in an attack that eventually delivered DeadLock ransomware as the payload.
The attack relied on “BdApiUtil.sys”, a legitimate Baidu Antivirus driver containing an Improper Privilege Management vulnerability with CVE-2024-51324 — which the actor disguised using the file name “DriverGay.sys”. This Improper Privilege Management vulnerability exposes a critical function in the driver program that allows unprivileged users to terminate any process on the system at the kernel level.
Commenting on this is Borja Rodriguez, Manager of Threat Intelligence Operations at Outpost24:
“This technique is not new. It follows a pattern we have seen for many years. The concept of abusing signed drivers is old. Drivers have long been a privileged entry point to the kernel (and thus attractive for attackers). But such abuses often occurred under vague names (“rootkits,” “driver exploitation,” “kernel-mode malware”), that weren’t necessarily documented under a unified label like “BYOVD.”
Campaigns like InvisiMole and Slingshot APT (both reported in 2018) already used similar methods, taking advantage of vulnerable or malicious drivers to gain high privileges, hide activity, and bypass security tools. These cases showed early examples of what we now call BYOVD attacks.
In the ransomware world, this isn’t new either. Groups such as Cuba Ransomware have already used BYOVD techniques to disable security products by loading vulnerable drivers and terminating protection processes. The technique itself hasn’t changed much. What has really changed is that attackers have learned how profitable ransomware can be, so they are reusing methods that previously appeared mainly in espionage operations.
Overall, this reflects a simple trend: if a technique works for one threat actor, others will copy it. Just like trends in other industries, proven tactics tend to come back again and again.”
This is one of those cases where everything old is new again. That’s something for defenders to keep in mind as they work to keep their organizations secure.
UPDATE: Ensar Seker, CISO at SOCRadar adds this:
“The use of BYOVD by the DeadLock ransomware group is a stark reminder that ransomware actors are no longer just encrypting files, they’re now going after the very defenses meant to stop them. By leveraging signed but vulnerable drivers to disable EDR, threat actors can effectively go ‘under the radar,’ removing visibility at the precise moment an attack unfolds. This is no longer just a red team tactic, it’s now weaponized in the wild by financially motivated actors. Organizations must harden their driver policies, implement driver blocklists like Microsoft’s recommended vulnerable driver list, and monitor for suspicious driver loads in telemetry. Endpoint protection alone is no longer enough; a layered, adversary-aware defense model is required.”
Related
This entry was posted on December 10, 2025 at 12:53 pm and is filed under Commentary. You can follow any responses to this entry through the RSS 2.0 feed.
You can leave a response, or trackback from your own site.
DeadLock Ransomware Uses New “BYOVD” Method to Disable EDR
Researchers have revealed that a financially motivated threat actor deploying DeadLock ransomware has adopted a sophisticated Bring Your Own Vulnerable Driver (BYOVD) tactic to bypass and disable endpoint detection and response (EDR) mechanisms.
Talos observed a threat actor leveraging a BYOVD technique to disable endpoint detection and escalate privileges in an attack that eventually delivered DeadLock ransomware as the payload.
The attack relied on “BdApiUtil.sys”, a legitimate Baidu Antivirus driver containing an Improper Privilege Management vulnerability with CVE-2024-51324 — which the actor disguised using the file name “DriverGay.sys”. This Improper Privilege Management vulnerability exposes a critical function in the driver program that allows unprivileged users to terminate any process on the system at the kernel level.
Commenting on this is Borja Rodriguez, Manager of Threat Intelligence Operations at Outpost24:
“This technique is not new. It follows a pattern we have seen for many years. The concept of abusing signed drivers is old. Drivers have long been a privileged entry point to the kernel (and thus attractive for attackers). But such abuses often occurred under vague names (“rootkits,” “driver exploitation,” “kernel-mode malware”), that weren’t necessarily documented under a unified label like “BYOVD.”
Campaigns like InvisiMole and Slingshot APT (both reported in 2018) already used similar methods, taking advantage of vulnerable or malicious drivers to gain high privileges, hide activity, and bypass security tools. These cases showed early examples of what we now call BYOVD attacks.
In the ransomware world, this isn’t new either. Groups such as Cuba Ransomware have already used BYOVD techniques to disable security products by loading vulnerable drivers and terminating protection processes. The technique itself hasn’t changed much. What has really changed is that attackers have learned how profitable ransomware can be, so they are reusing methods that previously appeared mainly in espionage operations.
Overall, this reflects a simple trend: if a technique works for one threat actor, others will copy it. Just like trends in other industries, proven tactics tend to come back again and again.”
ESET_InvisiMole.pdf
The Slingshot APT FAQ | Securelist
https://cymulate.com/blog/defending-against-bring-your-own-vulnerable-driver-byovd-attacks/
This is one of those cases where everything old is new again. That’s something for defenders to keep in mind as they work to keep their organizations secure.
UPDATE: Ensar Seker, CISO at SOCRadar adds this:
“The use of BYOVD by the DeadLock ransomware group is a stark reminder that ransomware actors are no longer just encrypting files, they’re now going after the very defenses meant to stop them. By leveraging signed but vulnerable drivers to disable EDR, threat actors can effectively go ‘under the radar,’ removing visibility at the precise moment an attack unfolds. This is no longer just a red team tactic, it’s now weaponized in the wild by financially motivated actors. Organizations must harden their driver policies, implement driver blocklists like Microsoft’s recommended vulnerable driver list, and monitor for suspicious driver loads in telemetry. Endpoint protection alone is no longer enough; a layered, adversary-aware defense model is required.”
Share this:
Like this:
Related
This entry was posted on December 10, 2025 at 12:53 pm and is filed under Commentary. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.