Black Basta Ransomware Uses BYOVD for Defense Actors Embeds

Ransomware groups continually refine their sophisticated arsenals to bypass modern cybersecurity defenses. The notorious Black Basta collective, recognized for its aggressive campaigns, has now adopted a particularly insidious technique: Bring Your Own Vulnerable Driver (BYOVD). This method exploits legitimate, signed drivers with known vulnerabilities, allowing attackers to load malicious code directly into the kernel. By leveraging BYOVD, Black Basta aims to achieve deep system access and persistence, largely circumventing endpoint detection and response (EDR) solutions and posing a significant challenge for defenders.

A recent campaign by the Black Basta group has introduced a significant tactical shift by embedding a “Bring Your Own Vulnerable Driver” (BYOVD) component directly into the ransomware payload itself.

This integration marks a notable departure from standard operating procedures, where defense evasion tools are typically deployed as separate files before the encryption phase begins.

The primary objective of this technique is to incapacitate security software on the victim’s machine.

By leveraging a legitimate, signed driver that contains vulnerabilities, attackers can execute code with kernel-level privileges.

This access allows them to terminate antivirus and endpoint detection processes that would otherwise block the ransomware.

This method streamlines the attack chain, making it faster and significantly harder for defenders to intercept before damage occurs.

Symantec analysts identified the malware’s new capability during an investigation into the Cardinal cybercrime group.

This development is particularly significant because it suggests a return to active operations for Cardinal, following a period of relative silence after their internal chat logs were leaked in early 2025.

The researchers noted that while bundling evasion components is not entirely new to the landscape, this specific implementation has never been observed in previous Black Basta campaigns.

The integration of the vulnerable driver serves as a robust shield against detection. Once the payload is executed, it immediately attempts to neutralize defenses, leaving the system exposed to encryption.

This indicates a higher level of sophistication and a potential trend that other ransomware families might adopt to bypass modern security protocols.

Operational Mechanics of the Vulnerable Driver

The core of this evasion mechanism relies on the abuse of a specific vulnerable Windows kernel-mode driver, identified as NsecSoft NSecKrnl.

Upon execution, the ransomware payload drops this driver and creates a service to facilitate its operation. The driver suffers from a critical vulnerability, tracked as CVE-2025-68947, which fails to verify user permissions adequately.

This oversight allows the attackers to issue malicious Input/Output Control requests to terminate protected processes.

The malware specifically targets a comprehensive list of security agents, including SophosHealth.exe, MsMpEng.exe, and various other detection tools.

By effectively blinding the system’s monitors, the ransomware appends the .locked extension to files without interruption.

Additionally, a suspicious side-loaded loader was observed on networks weeks prior, pointing to a potentially long dwell time.

For mitigation, organizations are advised to consult the latest Symantec Protection Bulletin for updated indicators of compromise.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.