The DeadLock ransomware group is actively utilizing a sophisticated technique known as Bring Your Own Vulnerable Driver (BYOVD) to bypass conventional endpoint security measures. This tactic allows the ransomware to execute malicious code with elevated privileges, circumventing detection and protection systems.

Understanding BYOVD and DeadLock’s Tactics

DeadLock ransomware leverages a legitimate, signed, but vulnerable driver, specifically a GIGABYTE driver (GDRV.SYS), to achieve its objectives. By bringing its own vulnerable driver, the ransomware can load malicious code into the kernel space, gaining high-level access to the system. This kernel-level access enables DeadLock to disable security processes, including Endpoint Detection and Response (EDR) solutions, making it extremely difficult for security software to detect or stop its operations.

Implications for Endpoint Security

The use of BYOVD by DeadLock highlights a critical challenge for cybersecurity defenses. Traditional endpoint protection relies on detecting known malicious executables or unusual behavior. However, by exploiting a legitimate driver’s vulnerabilities, DeadLock can operate under the guise of trusted software. This advanced evasion tactic necessitates more robust kernel-level monitoring and driver integrity checks to effectively counter such threats.

Source: https://www.infosecurity-magazine.com/news/deadlock-ransomware-uses-byovd/