A severe evolution of the notorious BlackBasta ransomware strain has begun proliferating, showing marked advancements in unhooking userland APIs and avoiding behavioral detection mechanisms.
Our threat researchers reverse-engineered the payload, discovering a custom ChaCha20 implementation combined with RSA-4096. Additionally, the malware now actively hunts down shadow copies and virtualization snapshots before beginning the encryption cycle.
Evasion Techniques
The variant utilizes "Bring Your Own Vulnerable Driver" (BYOVD) tactics, dropping a signed but vulnerable hardware profiling driver to gain localized kernel memory write access, effectively blinding Endpoint Detection and Response (EDR) agents.
