Malware News Black Basta: Defense Evasion Capability Embedded in Ransomware Payload

[Khushal]

Content source

https://www.security.com/threat-intelligence/black-basta-ransomware-byovd

A recent Black Basta attack campaign was notable because the ransomware contained a bring-your-own-vulnerable-driver (BYOVD) defense evasion component embedded within the ransomware payload itself.

Normally the BYOVD defense evasion component of an attack would involve a distinct tool that would be deployed on the system prior to the ransomware payload in order to disable security software. However, in this attack, the vulnerable driver (an NsecSoft NSecKrnl driver) was bundled with the ransomware itself.

Reynolds: Defense Evasion Capability Embedded in Ransomware Payload

BYOVD component included in ransomware payload itself, rather than as a separate tool.

www.security.com

 

[Bot]

Reynolds: Defense Evasion Capability Embedded in Ransomware Payload

BYOVD component included in ransomware payload itself, rather than as a separate tool.

www.security.com

What makes this Black Basta report notable is the “packaging” choice: the ransomware payload itself drops and abuses a signed-but-vulnerable kernel driver (BYOVD), instead of relying on a separate pre-ransomware “AV/EDR killer” stage. That reduces the defender’s time window because defense impairment and encryption can happen almost back-to-back. ([security.com](https://www.security.com/threat-intelligence/black-basta-ransomware-byovd))

What the BYOVD piece is doing here
The write-up says the payload drops an NsecSoft NSecKrnl driver, creates an NSecKrnl service, then abuses the driver to terminate security processes (kernel-mode termination is a common goal of BYOVD). ([security.com](https://www.security.com/threat-intelligence/black-basta-ransomware-byovd))

The referenced vulnerability is CVE-2025-68947: the NSecKrnl driver allows a local authenticated attacker to terminate processes owned by other users (including SYSTEM / Protected Processes) via crafted IOCTL requests. ([security.com](https://www.security.com/threat-intelligence/black-basta-ransomware-byovd)) ([nvd.nist.gov](https://nvd.nist.gov/vuln/detail/CVE-2025-68947))

Why defenders should care

• Less warning: if the “driver drop + killing EDR + encryption” is one bundled action, you may not see (or have time to respond to) a separate BYOVD tool staging step. ([security.com](https://www.security.com/threat-intelligence/black-basta-ransomware-byovd))
• Legit-signed driver abuse: BYOVD often leverages legitimate signed files, which can blend in better than obviously unsigned kernel malware. ([security.com](https://www.security.com/threat-intelligence/black-basta-ransomware-byovd))

Practical mitigation / hardening (high value)

• Enable Microsoft’s vulnerable driver protections where possible (Windows Security “Core isolation / Memory integrity” and related blocklisting features). This is specifically aimed at reducing BYOVD-style driver abuse, though it can have compatibility impacts in some environments.
• Application control for drivers (enterprise): WDAC / App Control policies that restrict which drivers can load is one of the most direct mitigations for BYOVD.
• Monitor for driver/service installation events: alert on new kernel driver loads and new services pointing to .sys files (especially outside normal software deployment workflows).
• Reduce who can install drivers: limit local admin, tighten UAC expectations, and monitor privileged tool usage. BYOVD commonly relies on having enough local privilege to get the driver onto the box and started.
• Tamper protection: ensure endpoint product self-protection/tamper protection is enabled and centrally enforced (where supported). It won’t “solve” kernel BYOVD by itself, but it raises the cost for attackers.
• Backups and restore readiness: because defense impairment is intended to make encryption “stick,” resilient offline/immutable backups and tested restores remain critical.

Quick indicators mentioned in the article (for hunting/triage)
From the report, notable items include: creation of an “NSecKrnl” service, dropping a vulnerable driver (example shown as “402.sys”), and encrypted files getting a “.locked” extension. The post also lists several file hashes and other artifacts as IOCs. ([security.com](https://www.security.com/threat-intelligence/black-basta-ransomware-byovd))

If any of these indicators appear in an environment, the safe next step is standard incident-response handling (isolate affected systems, preserve evidence, and run validated IR playbooks) rather than trying to “clean” it live.

Sources

• 
  [] Black Basta: Defense Evasion Capability Embedded in Ransomware Payload
  [] NVD - CVE-2025-68947

 

[Divergent]

Technical Analysis & Remediation

Attack Vector & Mechanism
Unlike previous campaigns where tools like AuKill or Poortry were dropped separately, the vulnerable driver (402.sys) is bundled inside the main ransomware executable. Upon execution, the payload drops the driver, establishes the NSecKrnl service, and issues IOCTL requests to terminate specific security processes.

MITRE ATT&CK Mapping

T1562.001 (Impair Defenses: Disable or Modify Tools) Abusing vulnerable drivers to kill AV/EDR.

T1068 (Exploitation for Privilege Escalation) Leveraging CVE-2025-68947 to gain SYSTEM/Kernel access.

T1574.002 (Hijack Execution Flow: DLL Side-Loading) Use of vspmsg.dll loader.


T1219 (Remote Access Software)
Deployment of GotoHTTP for persistence.

CVE Profile

ID
CVE-2025-68947

Component
NsecSoft NSecKrnl Driver

Vector
Local, Authenticated.

Impact
Arbitrary process termination (including Protected Processes) via crafted IOCTLs due to insufficient permission verification.

Live Evidence Extraction (Anchors)

Targeted Processes (Partial List)
"Sophos UI.exe", "CSFalconService.exe", "MsMpEng.exe", "CarbonBlackClient.exe" (implied by context), "ekrn.exe", "AvastUI.exe".

Ransomware Extension
Files are appended with .locked.

Persistence Tool
gotohttp.exe found post-encryption.

Indicators of Compromise (IOCs)

Ransomware (Black Basta) 6bd8a0291b268d32422139387864f15924e1db05dbef8cc75a6677f8263fa11d

Vulnerable Driver (402.sys) 206f27ae820783b7755bca89f83a0fe096dbb510018dd65b63fc80bd20c03261

Loader (vspmsg.dll) bf6686858109d695ccdabce78c873d07fa740f025c45241b0122cecbdd76b54e

Webshell e09686fde44ae5a804d9546105ebf5d2832917df25d6888aefa36a1769fe4eb4

Remote Access (GotoHTTP) 230b84398e873938bbcc7e4a1a358bde4345385d58eb45c1726cee22028026e9

Remediation - THE ENTERPRISE TRACK (SANS PICERL)

Phase 1: Identification & Containment

Hunt for Driver Load Events
Query SIEM/EDR for the loading of 402.sys or the creation of the NSecKrnl service.

Isolate Infected Hosts
Immediately sever network connections for any host exhibiting IOCTL calls to the NsecSoft driver or creating files with the .locked extension.

Block Hash Indicators
Push the IOCs listed above to all perimeter firewalls and endpoint blocklists immediately.

Phase 2: Eradication

Root Cause Analysis
Investigate the vspmsg.dll loader to determine the initial entry vector (likely phishing or exploited edge services).

Neutralize Persistence
Remove the GotoHTTP tool and any scheduled tasks associated with the ransomware or the xxxxx.aspx webshell found in the environment.

Driver Pruning
Ensure the malicious 402.sys driver is deleted and the associated service registry keys are removed.

Phase 3: Recovery

Validation
Verify EDR agents are fully functional and "checking in" after the driver is removed. The ransomware attempts to kill "SophosHealth.exe", "SmcGui.exe", "cyserver.exe", etc..

Restoration
Reimage compromised hosts. Do not attempt to decrypt without a valid key; restoration from offline/immutable backups is the only guaranteed recovery method.

Phase 4: Lessons Learned

Driver Blocklist Enforcement
This attack succeeds because the driver is signed. Implement the Microsoft Vulnerable Driver Blocklist (HVCI) via Group Policy to prevent known vulnerable drivers from loading.

EDR Tamper Protection
Review EDR configurations to ensure "Tamper Protection" is set to the highest level, though kernel-level BYOVD attacks can sometimes bypass user-mode protections.

Remediation - THE HOME USER TRACK

Priority 1: Safety & Isolation

Disconnect Immediately
If you suspect infection (files renamed to .locked), unplug the ethernet cable or disable Wi-Fi to prevent spread to shared drives or cloud sync folders.

Offline Scanning
Use a rescue disk (e.g., Microsoft Defender Offline) to scan the system without loading the operating system, preventing the ransomware driver from loading.

Priority 2: Identity

Credential Reset
If GotoHTTP was present, assume the attacker had remote access. Reset all passwords (email, banking) from a clean device.

Priority 3: Persistence Removal

Check Installed Programs
Look for "GotoHTTP" or unknown remote desktop tools and uninstall them.

System Restore
If backups are unavailable, a full Windows reinstall is recommended over attempting to clean a compromised system.

Hardening & References

Baseline
CIS Benchmark for Windows Server 2025 (ensure "User Rights Assignment" prevents unauthorized driver loading).

Tactical
Microsoft HVCI (Hypervisor-Protected Code Integrity). Enabling Memory Integrity in Windows Security settings blocks many BYOVD attacks by verifying driver compatibility and signatures against a deny list.

Reference

Primary Report (Security.com)

 

[Halp2001]

Interesting how this ransomware already comes with its own vulnerable driver . At home the risk is lower, but knowing about these techniques helps to understand the evolution and maintain good security habits . Thanks for sharing the information.