Black Basta Ransomware Actors Embeds BYOVD Defense Evasion Component with Ransomware Payload Itself

Ransomware actors are constantly refining their arsenals to bypass modern defenses.

A recent campaign by the Black Basta group has introduced a significant tactical shift by embedding a “Bring Your Own Vulnerable Driver” (BYOVD) component directly into the ransomware payload itself.

This integration marks a notable departure from standard operating procedures, where defense evasion tools are typically deployed as separate files before the encryption phase begins.

The primary objective of this technique is to incapacitate security software on the victim’s machine.

By leveraging a legitimate, signed driver that contains vulnerabilities, attackers can execute code with kernel-level privileges.

This access allows them to terminate antivirus and endpoint detection processes that would otherwise block the ransomware.

This method streamlines the attack chain, making it faster and significantly harder for defenders to intercept before damage occurs.

Symantec analysts identified the malware’s new capability during an investigation into the Cardinal cybercrime group.

This development is particularly significant because it suggests a return to active operations for Cardinal, following a period of relative silence after their internal chat logs were leaked in early 2025.

The researchers noted that while bundling evasion components is not entirely new to the landscape, this specific implementation has never been observed in previous Black Basta campaigns.

The integration of the vulnerable driver serves as a robust shield against detection. Once the payload is executed, it immediately attempts to neutralize defenses, leaving the system exposed to encryption.

This indicates a higher level of sophistication and a potential trend that other ransomware families might adopt to bypass modern security protocols.

Operational Mechanics of the Vulnerable Driver

The core of this evasion mechanism relies on the abuse of a specific vulnerable Windows kernel-mode driver, identified as NsecSoft NSecKrnl.

Upon execution, the ransomware payload drops this driver and creates a service to facilitate its operation. The driver suffers from a critical vulnerability, tracked as CVE-2025-68947, which fails to verify user permissions adequately.

This oversight allows the attackers to issue malicious Input/Output Control requests to terminate protected processes.

The malware specifically targets a comprehensive list of security agents, including SophosHealth.exe, MsMpEng.exe, and various other detection tools.

By effectively blinding the system’s monitors, the ransomware appends the .locked extension to files without interruption.

Additionally, a suspicious side-loaded loader was observed on networks weeks prior, pointing to a potentially long dwell time.

For mitigation, organizations are advised to consult the latest Symantec Protection Bulletin for updated indicators of compromise.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.