Full Report
BYOVD component included in ransomware payload itself, rather than as a separate tool.
Analysis Summary
# Tool/Technique: Bring-Your-Own-Vulnerable-Driver (BYOVD) Embedded in Black Basta
## Overview
This describes a specific instance of a Bring-Your-Own-Vulnerable-Driver (BYOVD) defense evasion technique where the vulnerable driver component was **bundled directly within the Black Basta ransomware payload**, rather than being deployed as a separate tool prior to the main encryption stage. The primary purpose is to leverage kernel-mode access via the exploited driver to terminate security processes before encryption.
## Technical Details
- Type: Technique (specifically, the embedding feature) / Malware Family (Black Basta components)
- Platform: Windows
- Capabilities: Privilege escalation, security software termination via kernel-mode execution.
- First Seen: The embedding strategy was noted in a recent Black Basta campaign; the underlying technique has historical precedents (e.g., Ryuk 2020, Obscura 2025).
## MITRE ATT&CK Mapping
- **TA0005 - Defense Evasion**
- **T1218 - Signed Binary Proxy Execution**
- T1218.011 - Bring Your Own Vulnerable Driver (BYOVD)
- **TA0004 - Privilege Escalation**
- T1548 - Abuse Elevation Control Mechanism
- T1548.002 - Bypass User Account Control (UAC) (Implied, often achieved via kernel exploit for effective defense disabling)
## Functionality
### Core Capabilities
- **Defense Impairment:** The primary function is to disable security software (AV/EDR) running on the system.
- **Process Termination via Kernel Exploit:** The embedded NsecSoft NSecKrnl driver (vulnerable via CVE-2025-68947) is exploited using crafted IOCTL requests to terminate critical security processes.
### Advanced Features
- **Payload Consolidation:** The highly unusual feature is bundling the driver and the malicious executable together in the ransomware payload itself, streamlining the attack chain for affiliates.
- **System Process Targeting:** The technique specifically targets a large list of security products, including numerous Sophos components, McAfee (e.g., `ekrn.exe`), Avast, CrowdStrike (`CSFalconService.exe`), and Microsoft Defender (`MsMpEng.exe`). This is achieved because the kernel driver allows termination of processes even those running with SYSTEM privileges or as Protected Processes.
## Indicators of Compromise
- File Hashes:
- Black Basta ransomware: `6bd8a0291b268d32422139387864f15924e1db05dbef8cc75a6677f8263fa11d`
- Vulnerable NsecSoft NSecKrnl Driver: `206f27ae820783b7755bca89f83a0fe096dbb510018dd65b63fc80bd20c03261`
- Loader (Suspicious): `bf6686858109d695ccdabce78c873d07fa740f025c45241b0122cecbdd76b54e`
- Suspicious File: `5213706ae67a7bf9fa2c0ea5800a4c358b0eaf3fe8481be13422d57a0f192379`
- File Names:
- Ransomware: `wxt4e.exe`
- Driver File (likely dropped): `402.sys`
- Webshell: `xxxxx.aspx`
- Registry Keys: None explicitly listed for creation, but service creation for the driver is attempted (`NSecKrnl service`).
- Network Indicators:
- GotoHTTP RAT found post-deployment: `gotohttp.exe` (associated hash `230b84398e873938bbcc7e4a1a358bde4345385d58eb45c1726cee22028026e9`)
- Behavioral Indicators:
- Creation of an `NSecKrnl` service.
- Execution of IOCTL requests against the loaded kernel driver.
- Termination targeting the listed security processes (e.g., `MsMpEng.exe`, `ekrn.exe`, `csfalcOnService.exe`).
- Files encrypted appended with the `.locked` extension.
## Associated Threat Actors
- **Cardinal** (The group tracked by Symantec and Carbon Black Threat Hunter Team that develops Black Basta).
## Detection Methods
- **Signature-based detection:** Provided hashes/files are detected by Symantec Endpoint products.
- **Behavioral detection:** Monitoring for process termination attempts targeting security software, particularly when associated with the loading of unsigned or known vulnerable drivers via service creation.
- **YARA rules:** Not explicitly provided, but YARA rules targeting the driver file name/characteristics (`402.sys` or identifying the NsecSoft driver signature) would be effective.
## Mitigation Strategies
- **Prevention measures:** Prevent the execution of known vulnerable drivers (e.g., using driver signing enforcement policies if possible, or reputation checks). Patching the underlying driver vulnerability (CVE-2025-68947) is critical.
- **Hardening recommendations:** Implement strict controls over service creation, especially those related to kernel drivers. Apply the principle of least privilege to prevent local attackers from executing code that exploits kernel vulnerabilities. Restrict the ability to load unknown or unsigned drivers via kernel-mode hooks or controls.
## Related Tools/Techniques
- Ryuk Ransomware (2020) - Used similar BYOVD component structure previously.
- Obscura Ransomware (2025) - Previously used embedded defense evasion components.
- GotoHTTP - Remote Access Tool found on the network post-deployment, indicating potential secondary objectives or persistent access maintenance.