ACCORDING to The Threat Hunter Team, the Black Basta ransomware group has upgraded its toolkit by embedding a defense evasion tool inside the ransomware payload, using a bring-your-own-vulnerable-driver (BYOVD) technique to silently disable security software before encryption. The group, tracked as Cardinal, reportedly bundles the vulnerable NsecSoft NSecKrnl driver with the malware to terminate security processes and avoid detection, rather than deploying a separate tool first.
The technique relies on a flaw in the NSecKrnl driver (CVE-2025-68947), a legitimate signed Windows driver, to obtain kernel-level access. The payload targets security products including Sophos, Symantec, CrowdStrike, and Microsoft Defender, making it harder for defenders to respond due to the lack of a detectable gap between threat and encryption.
This development, following a massive leak of Black Basta internal chats in February 2025, may indicate a mainstreaming of this approach and could simplify attacks for affiliates in the ransomware ecosystem.