With a new weapon in its toolbox, the notorious Black Basta ransomware gang has returned This article explores driver ransomware threat. . The Symantec and Carbon Black Threat Hunter Team described a recent attack in a report released on Thursday, which included an intriguing development: The Black Basta ransomware payload had a vulnerable driver built right into it.

In recent years, ransomware gangs have been using a technique called bring your own vulnerable driver (BYOVD) more and more. In a BYOVD attack, a threat actor ends a targeted system's security processes by using a software driver that is vulnerable and has elevated privileges and kernel-level access to Windows. These drivers are the main component of evasion tools called EDR killers, and they have proven to be highly successful in helping ransomware actors with intrusions.

"In other situations, defenders might have time to halt the attack before the ransomware is installed if they noticed a suspicious driver being dropped on a system." ## Persistent Issues With At-Risk Drivers BYOVD is without a doubt the most popular evasion technique employed by ransomware attackers, according to the Threat Hunter Team. Although ransomware gangs have occasionally included evasion elements in their payloads, the researchers noted that since Black Basta has never included a driver with its ransomware, threat actors may be more inclined to use such offerings.

Related:CISA Announces Unannounced Ransomware Updates to KEV Catalog The Threat Hunter Team stated that "having additional capabilities bundled with the ransomware payload may make ransomware attacks easier to carry out, as they would require less steps, potentially making such a payload more attractive to affiliates." The most recent instance of the threats posed by inexperienced and vulnerable drivers is the Black Basta attack. Researchers at Huntress described an instance last week where hackers used a driver for the EnCase digital forensics suite as a weapon.