EXECUTIVE SUMMARY:
A new ransomware campaign has been observed utilizing a custom loader that leverages a legitimate but vulnerable driver affected by CVE-2024-51324 to deploy DeadLock ransomware. The attackers exploit this driver to bypass endpoint defenses, escalate privileges, and prepare systems for encryption. This bring-your-own vulnerable driver technique allows the malware to disable security controls and evade detection, targeting enterprise environments with sophisticated methods that maximize operational disruption.
The attack begins with the deployment of a malicious loader alongside a vulnerable signed driver. The driver contains a privilege escalation flaw that allows kernel-level commands from an unprivileged user, which the loader exploits to terminate security processes and disable antivirus and endpoint detection solutions. Following this, a PowerShell script elevates privileges, disables backup and security services, deletes volume shadow copies, and self-deletes to hinder forensic analysis. DeadLock ransomware is then executed using process hollowing, guided by an embedded configuration that defines cryptographic parameters, target files, exclusion rules, and ransom instructions. The ransomware encrypts files using a custom stream cipher in memory, modifies system settings, and disables utilities to prevent recovery.
It reveals a ransomware strategy that abuses legitimate software components to bypass security defenses. The combination of BYOVD exploitation, privilege escalation, and custom encryption highlights the importance of monitoring driver integrity and third-party software vulnerabilities. Organizations are advised to enforce strict privilege policies, monitor unusual driver activity, maintain robust backups, and employ advanced detection techniques to prevent similar ransomware intrusions.
THREAT PROFILE:
| Tactic | Technique Id | Technique | Sub-technique |
| Execution | T1059.001 | Command and Scripting Interpreter | PowerShell |
| Privilege Escalation | T1068 | Exploitation for Privilege Escalation | — |
| T1548.002 | Abuse Elevation Control Mechanisms | Bypass User Account Control | |
| Defense Evasion | T1562.004 | Impair Defenses | Disable or Modify System Firewall |
| T1014 | Rootkit | — | |
| T1055.012 | Process Injection | Process Hollowing | |
| Lateral Movement | T1021.001 | Remote Services | Remote Desktop Protocol |
| Impact | T1486 | Data Encrypted for Impact | — |
| T1490 | Inhibit System Recovery | — |
REFERENCES:
The following reports contain further technical details: