The Reveal Platform
Intel Name: New byovd loader behind deadlock ransomware attack
Date of Scan: December 11, 2025
Impact: Medium
Summary: A financially motivated threat actor deploying DeadLock ransomware has adopted new tactics, including a previously unknown BYOVD loader that exploits Baidu Antivirus driver vulnerability CVE-2024-51324 to disable EDR protections. The attack chain also uses a PowerShell script to bypass UAC, disable Windows Defender, terminate security and backup services, and delete shadow copies to block recovery. DeadLock ransomware employs a custom stream-cipher encryption method with time-based keys, enabling efficient, selective file encryption while using anti-forensics techniques to avoid system corruption and hinder restoration efforts.
