• Home
  • cyber
  • Symantec, Sophos and CrowdStrike: Black Basta Ransomware Integrates BYOVD Technique to Evade Defenses
cyber Ransomware

Symantec, Sophos and CrowdStrike: Black Basta Ransomware Integrates BYOVD Technique to Evade Defenses

Jan 1, 2026 2 min read
Symantec, Sophos and CrowdStrike: Black Basta Ransomware Integrates BYOVD Technique to Evade Defenses

Black Basta Ransomware Adopts New "All-in-One" Attack Tactic with Embedded BYOVD Exploit

The Black Basta ransomware group, linked to the threat actor Cardinal, has introduced a significant evolution in its attack methodology by embedding a Bring-Your-Own-Vulnerable-Driver (BYOVD) exploit directly into its ransomware payload. This marks a departure from traditional ransomware operations, where attackers typically deploy separate tools to disable security software before encryption.

In this campaign, Black Basta leverages the NsecSoft NSecKrnl driver, which contains a critical vulnerability (CVE-2025-68947). The flaw allows the driver to execute privileged commands without proper permission checks, enabling the ransomware to issue Input/Output Control (IOCTL) requests that terminate high-level security processes. Targeted defenses include solutions from Sophos, Symantec, CrowdStrike, and Microsoft Defender (MsMpEng.exe). Once security measures are neutralized, the ransomware encrypts files and appends the “.locked” extension.

This tactic embedding defense evasion within the ransomware itself is rare, previously observed only in Ryuk (2020) and Obscura (2025). The approach offers two key advantages for attackers: stealth, by reducing the number of files dropped on the victim’s system, and speed, minimizing the window between disabling defenses and executing encryption. Researchers also noted prolonged dwell time in compromised networks, with suspicious activity detected weeks before ransomware deployment.

The resurgence of Cardinal follows a period of inactivity after internal chat logs were leaked in February 2025 by a hacker known as ExploitWhispers, who claimed retaliation for Black Basta’s attacks on Russian banks. The leak led to police raids in Ukraine and the identification of an alleged leader, Oleg Evgenievich Nefedov. Despite law enforcement pressure, the group’s technical innovation suggests continued adaptation.

BYOVD attacks remain a favored method among threat actors due to their reliance on legitimate, signed drivers, which evade detection. The integration of evasion and encryption into a single payload may set a new standard in ransomware operations, reflecting a broader trend of defense impairment as a critical component of modern ransomware attacks.

Source: https://gbhackers.com/black-basta-ransomware-2/

Sophos cybersecurity rating report: https://www.rankiteo.com/company/sophos

CrowdStrike cybersecurity rating report: https://www.rankiteo.com/company/crowdstrike

Symantec cybersecurity rating report: https://www.rankiteo.com/company/symantec

"id": "SOPCROSYM1770623613",
"linkid": "sophos, crowdstrike, symantec",
"type": "Ransomware",
"date": "1/2026",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"
{'attack_vector': 'BYOVD (Bring-Your-Own-Vulnerable-Driver) exploit embedded '
                  'in ransomware payload',
 'data_breach': {'data_encryption': "Files encrypted with '.locked' extension"},
 'description': 'The Black Basta ransomware group, linked to the threat actor '
                'Cardinal, has introduced a significant evolution in its '
                'attack methodology by embedding a '
                'Bring-Your-Own-Vulnerable-Driver (BYOVD) exploit directly '
                'into its ransomware payload. This marks a departure from '
                'traditional ransomware operations, where attackers typically '
                'deploy separate tools to disable security software before '
                'encryption. The ransomware leverages the NsecSoft NSecKrnl '
                'driver (CVE-2025-68947) to terminate security processes from '
                'Sophos, Symantec, CrowdStrike, and Microsoft Defender before '
                "encrypting files with the '.locked' extension.",
 'impact': {'operational_impact': 'Termination of high-level security '
                                  'processes (Sophos, Symantec, CrowdStrike, '
                                  'Microsoft Defender)'},
 'initial_access_broker': {'reconnaissance_period': 'Prolonged dwell time '
                                                    '(weeks before ransomware '
                                                    'deployment)'},
 'lessons_learned': 'BYOVD attacks remain a favored method due to reliance on '
                    'legitimate, signed drivers. Integration of evasion and '
                    'encryption into a single payload may set a new standard '
                    'in ransomware operations.',
 'post_incident_analysis': {'root_causes': 'Embedded BYOVD exploit in '
                                           'ransomware payload, use of '
                                           'vulnerable signed driver '
                                           '(CVE-2025-68947)'},
 'ransomware': {'data_encryption': 'Yes', 'ransomware_strain': 'Black Basta'},
 'references': [{'source': 'ExploitWhispers (hacker who leaked Black Basta '
                           'chat logs)'}],
 'threat_actor': 'Black Basta (linked to Cardinal)',
 'title': "Black Basta Ransomware Adopts New 'All-in-One' Attack Tactic with "
          'Embedded BYOVD Exploit',
 'type': 'Ransomware',
 'vulnerability_exploited': 'CVE-2025-68947 (NsecSoft NSecKrnl driver)'}
Published by
Jeremy C
Jeremy C
You might also like
Great! Next, complete checkout for full access to Rankiteo Blog.
Welcome back! You've successfully signed in.
You've successfully subscribed to Rankiteo Blog.
Success! Your account is fully activated, you now have access to all content.
Success! Your billing info has been updated.
Your billing was not updated.