TechTarget and Informa Tech’s Digital Business Combine. Dark Reading Resource Library Black Hat News Omdia Cybersecurity Advertise NEWSLETTER SIGN-UP Cybersecurity Topics World The Edge DR Technology Events Resources THREAT INTELLIGENCE APPLICATION SECURITY CYBER RISK VULNERABILITIES & THREATS NEWS Black Basta Bundles BYOVD With Ransomware Payload Researchers discovered a newly disclosed vulnerable driver embedded in Black Basta's ransomware, illustrating the increasing popularity of the defense-evasion technique. Rob Wright, Senior News Director, Dark Reading February 9, 2026 4 Min Read SOURCE: PEACHAYA TANOMSUP VIA ALAMY STOCK PHOTO The infamous Black Basta ransomware gang has reemerged with a new tool in its arsenal. In a report published Thursday, the Symantec and Carbon Black Threat Hunter Team detailed a recent attack that featured an interesting development: A vulnerable driver was embedded directly into the Black Basta ransomware payload. Ransomware gangs have increasingly used a technique known as bring your own vulnerable driver (BYOVD) in recent years. In a BYOVD attack, a threat actor uses a vulnerable software driver, which has elevated privileges and kernel-level access to Windows, to terminate the security processes of a targeted system. These drivers are the key ingredient of evasion tools known as EDR killers, and they've shown to be very effective at aiding intrusions for ransomware actors. While EDR platforms often block attempted ransomware attacks, threat actors wielding vulnerable drivers can simply target specific security products and turn them off like a burglar would disable a home security system before entering. This forces organizations to implement additional defenses to account for the possibility that their EDR platform may be disabled prior to an intrusion: such measures could include using a variety of malware detection products in the hopes that the EDR killer isn't programmed to terminate those specific processes. Related:EnCase Driver Weaponized as EDR Killers Persist Typically, EDR killers are standalone tools, often publicly available, that threat actors deploy before delivering a ransomware payload. For example, ransomware affiliates have used an EDR killer known as "AuKill" to shut down security products before deploying ransomware or backdoors on the targeted system. But Black Basta — which has been relatively quiet over the past year following a high-profile leak of the gang's internal communications — has taken a different approach. Potential Benefits of Embedded BYOVD Attacks The Threat Hunter Team discovered the vulnerable driver, NsecSoft NSecKrnl, bundled with the Black Basta ransomware. Last month, a medium-severity vulnerability in the NSecKrnl Windows driver, tracked as CVE-2025-68947, was disclosed. It's unclear when Black Basta first began weaponizing and embedding the vulnerable driver into ransomware payloads, but the report said it was a first for the ransomware gang. It's also the latest example of the growing popularity of BYOVD. "The use of impairment techniques and tools has risen markedly among ransomware actors over the past two years, most likely in response to vendors improving their ability to identify patterns of malicious activity that occur prior to ransomware deployment," the report stated. Related:Data Tool to Triage Exploited Vulnerabilities Can Make KEV More Useful Like virtually all EDR killers, the NSecKrnl driver targets the processes of well-known vendors, including Symantec. This recent attack, however, appears to have failed to some degree. "We know the attack was at least partially successful because they managed to encrypt some files," says Dick O’Brien, principal intelligence analyst for the Symantec and Carbon Black Threat Hunter Team. "It appears it failed to kill our product because it continued to function after the attack." As far as why Black Basta bundled the driver and ransomware payload together, the Threat Hunter Team said it may be that dropping one combined file instead of two is "quieter" and reduces the chances of being detected. "It also may speed up the attack if there is no gap between the defense evasion tool being deployed and the ransomware being dropped, there is no opportunity for defenders to stop the attack," the Threat Hunter Team wrote. "In other scenarios, if defenders saw a suspicious driver being dropped on a system, they may have time to stop the attack before the ransomware is deployed." Ongoing Challenges With Vulnerable Drivers The Threat Hunter Team noted that BYOVD is undoubtedly the most common evasion tool used by ransomware attackers. While there have been isolated cases where ransomware gangs have embedded some kind of evasion component into their payloads, the researchers said because Black Basta has never before bundled a driver with its ransomware, this could make such offerings more popular among threat actors. Related:CISA Makes Unpublicized Ransomware Updates to KEV Catalog "Having additional capabilities bundled with the ransomware payload may make ransomware attacks easier to carry out, as they would require less steps, potentially making such a payload more attractive to affiliates," the Threat Hunter Team wrote. The Black Basta attack is the latest example of the dangers posed by vulnerable and outdated drivers. Last week, Huntress researchers detailed an incident in which attackers weaponized a driver for the EnCase digital forensics suite. Even though the certificate for the driver had been revoked more than a decade ago, threat actors were still able to exploit gaps in Microsoft's Driver Signature Enforcement feature. O'Brien tells Dark Reading that Symantec and Carbon Black products will block all known vulnerable drivers. Microsoft's Vulnerable Driver Blocklist, a Windows Defender security feature, will also identify and mitigate drivers that have been identified in malicious activity. But as many experts have pointed out, block lists are a reactive defense measure that can only prevent further activity after a vulnerable driver has been used in attacks. O'Brien says Microsoft needs to do more to address the rising abuse of drivers, especially since they are often signed by the software giant itself. He says preventing Windows from loading drivers with revoked certificates would be an important step; however, as researchers have noted in the past, such a step could negatively impact system performance and cause applications to crash. Dark Reading contacted Microsoft for comment but the company did not respond a press time. About the Author Rob Wright Senior News Director, Dark Reading Rob Wright is a longtime reporter with more than 25 years of experience as a technology journalist. Prior to joining Dark Reading as senior news director, he spent more than a decade at TechTarget's SearchSecurity in various roles, including senior news director, executive editor and editorial director. Before that, he worked for several years at CRN, Tom's Hardware Guide, and VARBusiness Magazine covering a variety of technology beats and trends. Prior to becoming a technology journalist in 2000, he worked as a weekly and daily newspaper reporter in Virginia, where he won three Virginia Press Association awards in 1998 and 1999. He graduated from the University of Richmond in 1997 with a degree in journalism and English. A native of Massachusetts, he lives in the Boston area. More Insights Industry Reports The Total Economic Impact™ Of Zscaler Private Access (ZPA) Zscaler ThreatLabz 2025 VPN Risk Report GigaOm Radar for CNAPP The Total Economic Impact™ of Google SecOps 2025 Threat Report Access More Research Webinars Ransomware and the Supply Chain: A Fireside Chat with the CISOs Who Literally Wrote the Book on Third-Party Risk The Hidden AI Attack Surface: How GenAI Tools Expand Data Exposure Risk Beyond the Model: The Expanded Attack Surface of AI Agents AI-Powered Threat Hunting: Staying Ahead of Evolving Attack Patterns AI-Powered Cloud Security Posture Management More Webinars You May Also Like THREAT INTELLIGENCE Cybercrime's Cobalt Strike Use Plummets 80% Worldwide by Nate Nelson, Contributing Writer MAR 07, 2025 THREAT INTELLIGENCE Attackers Ramp Up Efforts Targeting Developer Secrets by Robert Lemos, Contributing Writer MAY 02, 2025 THREAT INTELLIGENCE 'Lucid' Phishing Tool Exploits Faults in iMessage, Android RCS by Nate Nelson, Contributing Writer MAR 26, 2025 CYBERATTACKS & DATA BREACHES DeepSeek Breach Opens Floodgates to Dark Web by Emma Zaballos APR 22, 2025 Editor's Choice CYBERSECURITY OPERATIONS Extra Extra! Announcing DR Global Latin America byTara Seals FEB 4, 2026 2 MIN READ CYBER RISK Dark Patterns Undermine Security, One Click at a Time byArielle Waldman FEB 3, 2026 7 MIN READ CYBERATTACKS & DATA BREACHES Russian Hackers Weaponize Microsoft Office Bug in Just 3 Days byJai Vijayan, Contributing Writer FEB 3, 2026 4 MIN READ Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox. SUBSCRIBE Webinars Ransomware and the Supply Chain: A Fireside Chat with the CISOs Who Literally Wrote the Book on Third-Party Risk THURS, FEB 19, 2026 AT1PM EST The Hidden AI Attack Surface: How GenAI Tools Expand Data Exposure Risk ON-DEMAND WEBINAR Beyond the Model: The Expanded Attack Surface of AI Agents THURS, FEB 26, 2026 AT 1PM EST AI-Powered Threat Hunting: Staying Ahead of Evolving Attack Patterns THURS, FEB 12, 2026 AT 11AM ET AI-Powered Cloud Security Posture Management WED, FEB 18,2026 AT 1:00PM EST More Webinars White Papers Why Removing Admin Rights Is the Key to Better Cyber Insurance Rates eBook Lock the Front Door: The Easiest Way to Reduce Your Attack Surface Understanding Least Privilege Toyota of Santa Maria Streamlines IT Operations with CyberFOX AutoElevate How the University of Tennesse secured 40 departments by removing admin rights Explore More White P