Ransomware continues to evolve in both sophistication and impact. A recent Cisco Talos investigation reveals a troubling new variant of DeadLock ransomware that evades modern security controls by exploiting known vulnerabilities and employing advanced evasion techniques.
This latest development highlights serious limitations in the traditional security model focused on “Detect and Respond.” Businesses must urgently reassess their endpoint protection strategy if they hope to stay ahead of these emerging threats. Cisco Talos Blog
The DeadLock Threat and What Makes It Different
According to a Cisco Talos threat spotlight, the DeadLock ransomware variant uses a Bring Your Own Vulnerable Driver (BYOVD) technique to bypass Endpoint Detection and Response (EDR) protections. In this attack chain, threat actors take advantage of a vulnerability in a Baidu Antivirus driver (CVE-2024-51324) to elevate privileges and terminate security processes at the kernel level before executing the ransomware payload on a victim’s system.
The BYOVD tactic is particularly insidious because it leverages legitimate, digitally signed drivers that contain exploitable flaws. Instead of being blocked by the security stack, these drivers are loaded into the system and abused to disable protections from the inside. Once EDR defenses are neutralized, the attackers run scripts that disable Windows Defender, shut down backup and database services, and even delete volume shadow copies to prevent recovery.
After this preparatory phase, the DeadLock payload deploys and encrypts files across the system. It uses a custom stream cipher and targets a broad set of applications and data while preserving core system services to keep the machine operational enough for ransom negotiations. Once encryption is complete, victims are presented with a ransom note demanding payment in cryptocurrency.
Why This Signals a Shift in Ransomware Evasion
What makes the DeadLock variant noteworthy is not simply that it encrypts data, but how it defeats security tools before encryption even begins. Attacks using BYOVD — where legitimate signed drivers with vulnerabilities are weaponized — are becoming more common because they enable attackers to disable detection engines and protections that many organizations rely on. Other ransomware variants like Medusa and Qilin have similarly employed BYOVD-style tactics to evade defenses. Security Affairs+1
This type of evasion points to a fundamental weakness in the “Detect and Respond” model of cybersecurity. EDR and detection solutions are reactive by nature — they rely on identifying malicious behavior or artifacts. If attackers can neutralize these tools before malicious activity begins, detection becomes impossible and response comes too late.
The Limits of Detect and Respond
Organizations that put faith solely in EDR and similar detection technologies may believe they are protected because alerts are generated and visualized in dashboards. But as the DeadLock example demonstrates, skilled threat actors can bypass these systems entirely. Detection happens after the fact — often after encryption has begun, data is exfiltrated, or backups are corrupted.
This creates several problems:
-
Blinded Security Tools: When EDR is disabled or circumvented, there is nothing left to detect exploitation or malicious execution.
-
Delayed Response: Even if forensic artifacts exist, response begins only after significant damage has already occurred.
-
Incomplete Prevention: Detection does not stop the initial exploit or neutralize the threat before it reaches sensitive systems.
These dynamics underscore why a purely reactive defense is no longer sufficient for modern ransomware threats.
A New Approach: Isolation and Containment
Instead of relying on detecting the threat after it has been delivered, businesses need to prevent unauthorized code from executing in the first place. This is where AppGuard offers a fundamentally different paradigm.
AppGuard is a proven endpoint protection platform with a 10-year track record of stopping unknown and advanced threats without relying on signatures or prior detection. Its core strength lies in Isolation and Containment. Rather than watching for indicators of attack, AppGuard enforces a set of policies that isolate applications and contain their execution contexts. This means that even if a threat actor uses a BYOVD exploit or other sophisticated evasion technique, the harmful behavior is blocked before it can do damage.
Key benefits of AppGuard include:
-
Prevention over Detection: Stops attacks before they execute, rather than waiting for alerts after the fact.
-
Kernel-level Protection: Protects trusted system processes and prevents unauthorized code from interacting with critical OS components.
-
Minimal Performance Impact: Enforces security policies without slowing down systems or creating operational overhead.
This isolation and containment model has been proven in real environments against threats from advanced persistent threats (APTs) to ransomware and BYOVD-style attacks where detection-centric tools fail.
What Your Business Can Do Next
The appearance of ransomware variants like DeadLock — and the adoption of BYOVD tactics by other operators — should be a wake-up call for business owners. Traditional security measures are not enough. Detection technologies alone cannot prevent attackers from disabling defenses and encrypting systems without notice.
Preventative, execution-blocking strategies like those provided by AppGuard offer a higher level of assurance. By stopping threats before they escalate, organizations can protect their critical systems and data against the evolving ransomware landscape.
Talk to us at CHIPS about how AppGuard can prevent this type of incident and why moving from Detect and Respond to Isolation and Containment is essential for your business security strategy.
We will help you evaluate your endpoint protection and implement a solution designed to stop advanced threats before they cause harm.
Like this article? Please share it with others!
Comments