What happened
Researchers from Symantec have observed the Black Basta ransomware group embedding a Bring Your Own Vulnerable Driver (BYOVD) loader to disable endpoint security controls during recent attacks. According to the report, the ransomware operators used the BYOVD technique to load a legitimate but vulnerable signed driver on compromised Windows systems, allowing them to terminate or bypass security products running on the host. Once defenses were weakened, the attackers deployed the Black Basta ransomware payload to encrypt files and carry out extortion activity. Symantec’s analysis showed that the campaign relied on abused drivers that remain trusted by the operating system, enabling the malware to operate with elevated privileges while evading detection. The use of BYOVD reflects a continued evolution in Black Basta’s tactics, combining low-level driver abuse with established ransomware deployment methods.
Who is affected
Windows systems targeted by Black Basta ransomware campaigns are affected, as attackers can disable endpoint protections using the BYOVD loader before encrypting files and demanding ransom.
Why CISOs should care
The use of BYOVD techniques by ransomware actors demonstrates how trusted but vulnerable drivers can be weaponized to bypass security controls, increasing the difficulty of detection and response on enterprise endpoints.
3 practical actions
- Identify vulnerable signed drivers. Review endpoints for outdated or exploitable third-party drivers that could be abused.
- Monitor driver loading activity. Detect anomalous driver installations or abuse of trusted drivers.
- Correlate defense evasion signals. Watch for sudden endpoint protection termination followed by encryption behavior.