Silent Killer: Black Basta Bundles “BYOVD” Driver to Blind Antivirus

The notorious Black Basta ransomware group has upgraded its arsenal with a dangerous new capability, embedding defense evasion tools directly inside its ransomware payload. A new report by The Threat Hunter Team reveals that the group, tracked as Cardinal, is now using a “bring-your-own-vulnerable-driver” (BYOVD) technique baked into the malware itself to silently disable security software before encrypting files.

This development marks a significant shift in tactics for one of the world’s most aggressive ransomware families, signaling a potential return to activity after a quiet period following a major data leak earlier this year.

Traditionally, ransomware attacks are a two-step process: first, attackers deploy a separate tool to kill antivirus protections, and then they drop the ransomware. Black Basta has streamlined this into a single, lethal package.

“In this attack, the vulnerable driver (an NsecSoft NSecKrnl driver) was bundled with the ransomware itself,” the report explains.

By hiding the defense evasion component inside the main payload, the attack becomes “quieter” and faster. There is no separate file to detect, and no time gap for defenders to react. As the report notes, “if there is no gap between the defense evasion tool being deployed and the ransomware being dropped, there is no opportunity for defenders to stop the attack”.

The technique relies on a known vulnerability in the NsecSoft NSecKrnl driver (CVE-2025-68947). Despite being a legitimate, signed Windows driver, it has a critical flaw that allows unauthorized users to execute kernel-level commands.

Attackers use this “vulnerable” driver to terminate processes that would otherwise stop them. The Black Basta payload specifically targets a laundry list of security products, including:

• Sophos (e.g., Sophos Ul.exe, SEDService.exe)
• Symantec (e.g., ccSvcHst.exe, sepWscSvc64.exe)
• CrowdStrike (e.g., CSFalconService.exe)
• Microsoft Defender (e.g., MsMpEng.exe)

“Since the vulnerable drivers operate with kernel-mode access, they can be used to terminate processes, making them an effective tool for disrupting security measures,” the researchers state.

The Black Basta group, or Cardinal, had been relatively quiet following a massive leak of their internal chat logs in February 2025. That leak exposed their operations and led to police raids against alleged members in Ukraine.

However, this new technical innovation suggests the group is not done yet. “Its use by Black Basta… is very notable and may point to a mainstreaming of this kind of approach,” the report warns.

Beyond just being effective, this “all-in-one” malware might be a business decision. In the competitive world of cybercrime, ransomware developers are constantly trying to attract affiliates—contract hackers who deploy the malware for a cut of the profits.

“Having additional capabilities bundled with the ransomware payload may make ransomware attacks easier to carry out, as they would require less steps,” making the tool more attractive to low-skilled criminals.

Related Posts:

• Black Basta’s Evolving Tactics and the Rising Role of LLMs in Cyber Attack
• Black Basta Exploits Microsoft Teams for Phishing Attacks
• Black Basta Ransomware Group Elevates Social Engineering with Microsoft Teams and Malicious QR Codes
• Sophisticated Social Engineering Campaign Linked to Black Basta Ransomware
• ZeroLogon to NoPac Vulnerability: Black Basta Group’s Exploit Arsenal Revealed