Researchers discovered a vulnerable driver embedded in Black Basta's ransomware, illustrating the increasing popularity of the defense evasion technique.

DR (DZone Research) offers insights into software development trends, industry surveys, and technology adoption patterns, providing reports, whitepapers, and analyst insights to help businesses make informed decisions and stay competitive in the ever-evolving tech landscape. By exploring DR's curated content, developers can gain insights into emerging technologies, developer preferences, and industry best practices for building innovative and market-leading software solutions. Whether you're a startup founder, product manager, or tech executive, DR offers resources to guide your strategic planning and drive business success.

Dark Reading

Black Basta ransomware gang has embedded a vulnerable driver (NsecSoft NSecKrnl) directly into their ransomware payload, marking a shift from the typical approach of deploying standalone EDR killers. This BYOVD (bring your own vulnerable driver) technique exploits CVE-2025-68947 to terminate security processes with kernel-level access. Bundling the driver with ransomware may reduce detection chances and speed up attacks by eliminating gaps between defense evasion and payload deployment. The incident highlights ongoing challenges with vulnerable drivers in Windows, despite Microsoft's blocklist feature, as threat actors continue exploiting even decade-old revoked certificates.

Black Basta Bundles BYOVD With Ransomware Payload

Potential Benefits of Embedded BYOVD Attacks

Ongoing Challenges With Vulnerable Drivers