Black Basta Embeds BYOVD Driver Inside Ransomware Payload to Disable EDR
Black Basta ransomware operators have been observed embedding a Bring Your Own Vulnerable Driver (BYOVD) component directly inside the ransomware payload, a shift from the more common approach of deploying an external “EDR killer” tool prior to encryption. The technique abuses a legitimate, signed but vulnerable Windows driver to gain kernel-level privileges and terminate security tooling (AV/EDR) on the victim host, reducing the chance defenders can stop the attack before encryption begins.
Reporting attributes the finding to analysis by Symantec (and the Carbon Black Threat Hunter Team), which described the embedded-driver approach as a notable evolution in Black Basta tradecraft and consistent with broader ransomware trends toward BYOVD-based defense evasion. One account also links the activity to the Cardinal cybercrime group and notes the behavior had not been seen in prior Black Basta campaigns, suggesting either a retooling or a renewed operational tempo that could be adopted by other ransomware families seeking to reliably neutralize endpoint protections.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
7 events from the most recent confirmed update back to the earliest known activity.
Researchers publish targeting and impact details from the Black Basta intrusion
Public reporting said the malware attempted to terminate security tools including Sophos, Symantec, CrowdStrike, and Microsoft Defender processes, then encrypted files with a .locked extension. In the observed case, some files were encrypted, but Symantec's product reportedly continued functioning despite the attack.
Symantec and Carbon Black identify Black Basta's new bundled BYOVD tactic
Symantec analysts and the Carbon Black Threat Hunter Team reported that Black Basta, tracked here as Cardinal, had reemerged with a tactical shift to package BYOVD defense evasion together with ransomware. They said the approach reduces detection opportunities and speeds execution by removing the gap between disabling defenses and encrypting files.
Black Basta attack embeds BYOVD driver inside ransomware payload
In a recent intrusion, Black Basta embedded the vulnerable NsecSoft NSecKrnl driver directly into its ransomware payload instead of deploying separate defense-evasion tooling. The bundled BYOVD technique was used to seek kernel-level access and kill security processes before or during encryption.
Black Basta loader observed in victim networks weeks before encryption
Researchers reported that a side-loaded loader linked to the intrusion was seen in victim environments weeks before ransomware execution. This suggests the operators may have maintained extended dwell time before launching encryption.
Police raid alleged Black Basta members in Ukraine
Following the February 2025 chat leak, police reportedly conducted raids against alleged Black Basta members in Ukraine. The action is cited as part of the fallout from the exposure of the group's internal communications.
Black Basta internal chat logs leak and group activity declines
Black Basta's internal chat logs leaked in early 2025, after which the group reportedly went quiet. The leak is described as a major disruption to the operation and a precursor to later developments.
NSecKrnl driver vulnerability CVE-2025-68947 is disclosed
A vulnerability in NsecSoft's signed NSecKrnl Windows kernel driver, tracked as CVE-2025-68947, was disclosed. The flaw allegedly allows malicious IOCTL requests without proper permission checks, enabling termination of protected processes.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
3 references tracked. Mallory keeps watching after this page renders.
Silent Killer: Black Basta Bundles "BYOVD" Driver to Blind Antivirus
securityonline.info
Open sourceBlack Basta Ransomware Actors Embeds BYOVD Defense Evasion Component with Ransomware Payload Itself
cybersecuritynews.com
Open sourceBlack Basta Bundles BYOVD With Ransomware Payload
darkreading.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
ESET Research Finds BYOVD Dominates EDR Killer Use in Ransomware Intrusions
**ESET Research** reported that **EDR killers** have become a standard component of modern ransomware operations, with attackers routinely disabling endpoint detection and response tools before launching encryptors. Across nearly 90 EDR killer tools observed in the wild, 54 were found to use the **Bring Your Own Vulnerable Driver (BYOVD)** technique, abusing 34 signed but vulnerable drivers to obtain kernel-level privileges and tamper with security products. The research says this approach is especially attractive to ransomware affiliates because it creates a short, reliable window for encryption while avoiding the need to constantly rebuild encryptors to evade detection. The reporting also highlights how **ransomware-as-a-service** operations contribute to the diversity of EDR killer tooling: operators typically provide the encryptor and infrastructure, while affiliates choose the EDR-disabling utility used during an intrusion. Although BYOVD remains the dominant method because of its reliability and relatively low development cost, researchers also observed a growing set of tools that disable protections without loading drivers, including methods that disrupt EDR communications, suspend processes, or abuse built-in administrative utilities. The findings reinforce that vulnerable-driver abuse remains a key defensive gap, while non-kernel alternatives are also expanding the range of pre-encryption attack techniques defenders must monitor.
Apr 14, 2026
Malware Families Employing BYOVD and Driver-Based EDR Bypass Techniques
Multiple malware families have adopted advanced techniques to bypass endpoint detection and response (EDR) solutions by leveraging Bring Your Own Vulnerable Driver (BYOVD) attacks and stealthy driver installations. Notably, DeadLock ransomware has been observed exploiting a vulnerable Baidu driver to achieve kernel-level defense bypass, allowing it to disable security products and facilitate ransomware deployment. Similarly, Makop ransomware has evolved to incorporate GuLoader and BYOVD-based EDR killers, specifically targeting networks with exposed Remote Desktop Protocol (RDP) services to gain initial access and evade detection. In parallel, the ValleyRAT malware family has demonstrated the use of stealthy driver installation methods to circumvent Windows 11 security protections. The public leak of the ValleyRAT builder has expanded its accessibility, enabling a broader range of threat actors to deploy this sophisticated backdoor. These developments highlight a growing trend among threat actors to exploit driver vulnerabilities and kernel-level techniques to undermine modern security controls across various malware campaigns.
Mar 21, 2026
Reynolds Ransomware Uses BYOVD via NsecSoft NSecKrnl Driver to Kill EDR Processes
**Reynolds**, an emerging ransomware family, has been reported using a **Bring Your Own Vulnerable Driver (BYOVD)** technique by bundling a legitimate-but-flawed kernel driver (*NsecSoft* `NSecKrnl`) directly inside the ransomware payload to evade defenses. The driver vulnerability, tracked as **CVE-2025-68947** (reported CVSS **5.7**), can be abused to terminate arbitrary processes, enabling Reynolds to disable endpoint security tooling before encryption activity proceeds. Reporting indicates Reynolds drops the vulnerable `NSecKrnl` driver and then targets processes associated with multiple security products (including **Avast**, **CrowdStrike Falcon**, **Palo Alto Networks Cortex XDR**, **Sophos**/*HitmanPro.Alert*, and **Symantec Endpoint Protection**). Researchers noted that embedding the BYOVD component within the ransomware payload (rather than deploying a separate pre-ransomware killer tool) has precedent in prior ransomware activity (e.g., **Ryuk** and **Obscura**), and the same driver has also been associated with activity attributed to the **Silver Fox** threat actor in other campaigns.
Mar 21, 2026