Black Basta: Defense Evasion Capability Embedded in Ransomware Payload

Black Basta operators (tracked as the group Cardinal) deployed a ransomware payload that uniquely bundled a vulnerable NsecSoft NSecKrnl kernel driver (CVE-2025-68947) to kill security processes and evade defenses, appending a “.locked” extension to encrypted files. The campaign also included a prior side-loaded loader and post-deployment presence of the GotoHTTP RAT, suggesting long dwell time or attempts to maintain persistence. #BlackBasta #Cardinal

Keypoints

Black Basta’s ransomware binary bundled a vulnerable signed kernel-mode driver (NsecSoft NSecKrnl) directly within the payload, enabling BYOVD-style defense evasion without a separate pre-deployed driver.
The NSecKrnl driver (402.sys) contains a critical vulnerability (CVE-2025-68947) that allows attackers to issue crafted IOCTLs to terminate processes owned by other users, including SYSTEM and Protected Processes.
The ransomware targeted and attempted to kill a broad set of security-related processes (Sophos, Microsoft Defender, CrowdStrike, ESET, Avast, etc.) before encrypting files with a “.locked” extension.
Investigators observed a suspicious side-loaded loader on the network weeks before the ransomware and found the GotoHTTP RAT on some machines the day after deployment, indicating possible long dwell time and post-deployment persistence attempts.
Bundling defense-evasion functionality into the ransomware payload may make attacks quieter and faster (fewer detectable intermediate stages), potentially increasing appeal to affiliates and encouraging wider adoption by other ransomware families.
Symantec published IOCs and detections (file hashes, driver filename 402.sys, and related loader/binaries) and recommends consulting the Symantec Protection Bulletin for mitigation updates.

MITRE Techniques

[T1562 ] Impair Defenses – BYOVD was used to disable or impair AV/EDR protections by deploying/exploiting a vulnerable signed driver (bundled inside the ransomware). (‘BYOVD is by far the most frequently used technique for defense impairment these days.’)
[T1562.001 ] Disable or Modify Tools – The vulnerable NSecKrnl driver was exploited to terminate security processes and disable protections via crafted IOCTL requests. (‘This driver… allows a local, authenticated attacker to terminate processes owned by other users… by issuing crafted IOCTL requests to the driver.’)
[T1215 ] Kernel Modules and Extensions – A kernel-mode driver (NsecSoft NSecKrnl / 402.sys) was dropped and a service created to enable kernel-level manipulation and process termination. (‘The ransomware payload drops a vulnerable NsecSoft NSecKrnl driver and tries to create an NSecKrnl service.’)
[T1218 ] Signed Binary Proxy Execution / DLL Side-loading – A suspicious side-loaded loader was observed on the network weeks prior to deployment, indicating use of side-loading techniques to execute malicious code under the guise of legitimate binaries. (‘presence of a suspicious side-loaded loader on the target’s network several weeks prior to the ransomware being deployed’)

Indicators of Compromise

[File hashes ] Malware and related artifacts – 6bd8a0291b268d32422139387864f15924e1db05dbef8cc75a6677f8263fa11d (Black Basta – wxt4e.exe), 206f27ae820783b7755bca89f83a0fe096dbb510018dd65b63fc80bd20c03261 (NSecKrnl driver – 402.sys), and 4 other hashes published by Symantec.
[File names / filenames ] Binaries and drivers observed – wxt4e.exe (Black Basta payload), 402.sys (NsecSoft NSecKrnl vulnerable driver), vspmsg.dll (loader), gotohttp.exe (GotoHTTP RAT).
[Webshell ] Webshell artifact – e09686fde44ae5a804d9546105ebf5d2832917df25d6888aefa36a1769fe4eb4 – webshell (xxxxx.aspx).
[Loader / DLL ] Suspicious loader and side-loaded DLL – bf6686858109d695ccdabce78c873d07fa740f025c45241b0122cecbdd76b54e – loader (vspmsg.dll).
[Process names ] Targeted security processes – MsMpEng.exe (Windows Defender), CSFalconService.exe (CrowdStrike), plus multiple Sophos, ESET, Avast processes observed as termination targets.