The bring-your-own-vulnerable-driver (BYOVD) technique has been reimagined by an emergent ransomware group. The Symantec and Carbon Black Threat Hunter Team described a recent attack in a report released on Thursday, which included an intriguing development: A Black Basta ransomware payload had a vulnerable driver embedded right in it. On Monday, Symantec and Carbon Black revised the report in light of additional investigation that showed the payload belonged to a brand-new ransomware family called "Reynolds."

In a BYOVD attack, a threat actor ends a targeted system's security processes by using a software driver that is vulnerable and has elevated privileges and kernel-level access to Windows.

These drivers are the main component of evasion tools called EDR killers, and they have proven to be highly successful in helping ransomware actors with intrusions. Threat actors with weak drivers can easily target particular security products and turn them off, just like a burglar would turn off a home security system before entering, even though EDR platforms frequently stop attempted ransomware attacks. In other cases, defenders might have time to halt the attack before the ransomware is installed if they noticed a suspicious driver being dropped on a system."

Related:CISA Updates the KEV Catalog with Unannounced Ransomware ## Continued Issues With Vulnerable Drivers BYOVD is without a doubt the most popular evasion technique employed by ransomware attackers, according to the Threat Hunter Team.

Although there have been a few isolated instances where ransomware gangs have included an evasion element in their payloads, the researchers claimed not to have seen ransomware gangs bundle a driver in this way, which may increase the appeal of such offerings to threat actors. The Threat Hunter Team stated that "having additional capabilities bundled with the ransomware payload may make ransomware attacks easier to carry out, as they would require less steps, potentially making such a payload more attractive to affiliates." The most recent illustration of the risks posed by inexperienced and vulnerable drivers is the Reynolds attack.

Researchers at Huntress described an instance last week where hackers used a driver for the EnCase digital forensics suite as a weapon.