A recent campaign by the Black Basta ransomware group has revealed a significant shift in attack tactics.
This is a departure from standard operations, where attackers typically deploy a separate tool to turn off security software before running the actual ransomware.
In this specific campaign, the ransomware payload bundles a vulnerable driver known as the NsecSoft NSecKrnl driver. Under normal circumstances, BYOVD attacks involve dropping a legitimate, digitally signed driver that contains known security flaws onto a target network.
Attackers then exploit these flaws to gain kernel-level access, allowing them to turn off antivirus and Endpoint Detection and Response (EDR) systems.
Security researchers have discovered that the group is now embedding a “Bring-Your-Own-Vulnerable-Driver” (BYOVD) component directly inside the ransomware payload.
The NsecSoft driver used here suffers from a critical vulnerability identified as CVE-2025-68947. The flaw allows the driver to execute commands without verifying if the user has the right permissions.
This allows the ransomware to issue “Input/Output Control” requests to the driver, forcing it to terminate high-level processes usually protected by the operating system.
Once executed, the ransomware targets a massive list of security processes, including those from Sophos, Symantec, CrowdStrike, and Microsoft Defender (MsMpEng.exe).
After blinding the system’s defenses, the payload encrypts files and appends the “.locked” extension.
Cardinal’s Return and Context
This activity is attributed to “Cardinal,” the threat group behind Black Basta. This development is notable because embedding defense evasion directly into the ransomware is rare.
It was previously seen only in the Ryuk ransomware (2020) and a smaller strain called Obscura (2025). A strong association with the Qakbot botnet, prior to its takedown in August 2023.
The new tactic marks a return to activity for Cardinal. The group had gone quiet following a major leak of their internal chat logs in February 2025, which exposed their operations and led to police raids in Ukraine and the identification of their alleged leader, Oleg Evgenievich Nefedov.
Despite law enforcement pressure, this technical innovation suggests the group is still evolving.
The individual who leaked these logs – who had the online handle ExploitWhispers – said they did so because Black Basta had targeted Russian banks.
Why This Matters for Defenders
BYOVD attack is popular with attackers due to its effectiveness and reliance on legitimate, signed files, which are less likely to raise red flags.
Combining the evasion tool and the ransomware into a single file offers two main advantages for attackers:
- Stealth: It is “quieter” because it drops fewer files onto the victim’s network.
- Speed: It removes the gap between turning off security and encrypting files. This leaves defenders with almost no time to react once the driver is detected.
Researchers also noted suspicious activity weeks before the ransomware deployment, suggesting a long “dwell time” inside the network.
The impairment of defenses, usually by attempting to disable antivirus (AV) or endpoint detection and response (EDR) products, is a key part of ransomware attacks in 2026.
As ransomware developers look for unique selling points to attract affiliates, this “all-in-one” payload approach may become a new standard in the cybercrime landscape of 2026.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
