VERY IMPORTANT

A recent Black Basta ransomware campaign incorporated a bring-your-own-vulnerable-driver (BYOVD) defense evasion component within the payload itself, a departure from typical practices. The ransomware exploited a vulnerable NsecSoft NSecKrnl driver to terminate security processes. This approach, previously seen in Ryuk and Obscura attacks, may indicate a trend towards bundling additional capabilities in ransomware payloads. The attack also involved a long dwell time and post-deployment activity using GotoHTTP. The Cardinal group, responsible for Black Basta, had been quiet following a chat log leak in 2025 but appears to be resuming activities. This development raises questions about future ransomware tactics and the potential advantages of embedding defense evasion capabilities within payloads.