Black Basta ransomware attackers have adopted a new and alarming tactic by embedding a “Bring Your Own Vulnerable Driver” (BYOVD) component directly within their ransomware payload. This strategic shift allows them to bypass modern security defenses more effectively by disabling security software before the encryption process begins. This development was identified by Symantec analysts while investigating the Cardinal cybercrime group and suggests a return to active operations for the group following a period of reduced activity.
The integration of BYOVD technology represents a significant evolution in ransomware attack methodologies. Traditionally, such defense evasion tools were deployed as separate files, giving security systems a brief window to detect and block them before the ransomware payload was active. By merging these components, Black Basta significantly shortens the attack chain, making it faster and more challenging for cybersecurity measures to intervene, thereby increasing the likelihood of successful encryption and data exfiltration.
Operational Mechanics of the Vulnerable Driver in Black Basta Attacks
The core of this sophisticated evasion technique involves exploiting a specific vulnerable Windows kernel-mode driver, identified as NsecSoft NSecKrnl. When the ransomware payload is executed, it deploys this driver and initiates a service to manage its operations. The driver contains a critical vulnerability, tracked as CVE-2025-68947, which crucially fails to adequately verify user permissions. This flaw enables attackers to issue malicious Input/Output Control requests, specifically designed to terminate protected processes.
The malware meticulously targets a broad array of security agents, including well-known programs like SophosHealth.exe, MsMpEng.exe, and various other endpoint detection and response tools. By systematically incapacitating these system monitors, the ransomware can proceed to encrypt files unimpeded, appending the “.locked” extension to them. This comprehensive approach to defense evasion underscores the growing sophistication of ransomware actors and their continuous efforts to outmaneuver cybersecurity professionals.
This new tactic by Black Basta also highlights the interconnectedness of threat intelligence. The researchers noted the presence of a suspicious side-loaded loader on compromised networks weeks prior to the observed ransomware deployment. This suggests a potential for prolonged dwell times, allowing attackers to conduct reconnaissance and prepare their environment before launching the primary attack. For organizations seeking to protect themselves, consulting the latest Symantec Protection Bulletin for updated indicators of compromise is strongly advised.
The implications of this integrated BYOVD approach are far-reaching. It signifies a potential trend that other ransomware families may adopt to adapt to evolving security landscapes. As defenses become more robust, cybercriminals are increasingly compelled to innovate, finding novel ways to gain privileged access and disable protective measures. The bundling of defense evasion components directly into the ransomware payload makes detection and mitigation even more critical, requiring a layered security strategy that can identify and neutralize threats at different stages of an attack.
Looking ahead, the cybersecurity community will be closely monitoring other ransomware groups for similar adaptations. This development emphasizes the ongoing cat-and-mouse game between attackers and defenders. Organizations should focus on maintaining up-to-date security software, implementing robust patch management, and conducting regular security awareness training to combat advanced threats like those posed by the Black Basta group and their evolving BYOVD tactics.