Reynolds Ransomware Embeds BYOVD Driver to Disable EDR Security Tools

Cybersecurity researchers have identified a new ransomware threat that's changing the game for defense evasion. Reynolds ransomware has emerged with an innovative approach: embedding a Bring Your Own Vulnerable Driver (BYOVD) component directly within the ransomware payload itself, eliminating the need for separate deployment steps.

The BYOVD Technique Evolved

Traditionally, ransomware operations involve multiple stages. Attackers first deploy tools to disable security software, then execute the ransomware payload. Reynolds breaks this pattern by bundling both capabilities into a single executable, making the attack more streamlined and harder to detect.

The BYOVD technique exploits legitimate but flawed driver software to escalate privileges and disable Endpoint Detection and Response (EDR) solutions. By abusing trusted, signed drivers, attackers can bypass security controls that would typically flag malicious activity.

Technical Analysis: NSecKrnl Driver Exploitation

Reynolds leverages a vulnerable NsecSoft NSecKrnl driver affected by CVE-2025-68947 (CVSS score: 5.7), which allows arbitrary process termination. According to research from Symantec and Carbon Black, the ransomware specifically targets processes from multiple security vendors:

- Avast
- CrowdStrike Falcon
- Palo Alto Networks Cortex XDR
- Sophos (including HitmanPro.Alert)
- Symantec Endpoint Protection

The same vulnerable driver has been previously exploited by the Silver Fox threat actor to deliver ValleyRAT malware, demonstrating its effectiveness in endpoint security evasion.

Why Bundle Defense Evasion with Ransomware?

Integrating the BYOVD component directly into the ransomware payload offers several tactical advantages:

Reduced Detection Surface: A single file is quieter than multiple components being dropped across the network. Security tools monitoring for multi-stage attacks may miss the consolidated approach.

Simplified Affiliate Operations: Ransomware-as-a-Service (RaaS) affiliates no longer need to incorporate separate defense evasion steps into their playbooks. The all-in-one approach lowers the technical barrier for less sophisticated attackers.

Faster Execution: By eliminating the need to deploy and execute multiple tools sequentially, attackers can move from initial access to encryption more rapidly, reducing the window for detection and response.

Attack Timeline and Persistence

Symantec researchers observed suspicious activity on target networks several weeks before the ransomware deployment. A side-loaded loader appeared on the network, suggesting the attackers established an initial foothold long before launching the encryption phase.

One day after ransomware deployment, investigators discovered the GotoHTTP remote access program on compromised systems. This indicates the threat actors are maintaining persistent access even after the encryption event, potentially for:

- Monitoring victim negotiations
- Launching secondary extortion attempts
- Accessing additional data for leverage
- Re-encrypting systems if initial ransom demands aren't met

The Broader Ransomware Landscape

Reynolds emerges amid significant evolution in ransomware tactics:

Virtual Machine Abuse: The WantToCry ransomware campaign has exploited ISPsystem virtual infrastructure to host and deliver payloads at scale. A design weakness in VMmanager's default Windows templates—reusing static hostnames and system identifiers—allows threat actors to provision thousands of VMs with identical configurations, complicating takedown efforts.

Cloud Storage Targeting: Ransomware operators are increasingly shifting focus from on-premises systems to misconfigured cloud storage, particularly AWS S3 buckets. These attacks leverage native cloud features to delete or overwrite data while staying under the radar.

Professional Extortion Services: DragonForce ransomware has introduced a "Company Data Audit" service to support affiliates during extortion negotiations. The service provides detailed risk reports, prepared communication materials including call scripts and executive-level letters, and strategic guidance designed to influence victims.

LockBit 5.0 Evolution: The latest LockBit iteration has switched from AES to ChaCha20 encryption and added new capabilities including a wiper component, delayed execution options, encryption progress tracking, and enhanced anti-analysis techniques across Windows, Linux, and ESXi environments.

Ransomware Activity Statistics

According to recent threat intelligence:

- Total attacks in 2025: 4,737 ransomware claims (up from 4,701 in 2024)
- Pure data theft extortion: 6,182 incidents (23% increase from 2024)
- Average Q4 2025 ransom payment: $591,988 (57% jump from Q3 2025)

Cyble identified ten new ransomware groups that emerged in 2025: GLOBAL GROUP, Devman, DireWolf, NOVA, J group, Warlock, BEAST, Sinobi, NightSpire, and The Gentlemen. Sinobi's data leak site listings increased 306% in Q4 2025 alone.

Defense Recommendations

Organizations should implement multiple defensive layers:

Driver Management: Maintain an inventory of approved drivers and implement application control policies that prevent unauthorized driver installation. Consider using Microsoft's Vulnerable Driver Blocklist.

EDR Hardening: Configure EDR solutions with tamper protection enabled. Implement monitoring for process termination attempts targeting security tools.

Network Segmentation: Limit lateral movement capabilities by segmenting networks and implementing zero-trust principles. This can slow attackers even if they achieve initial access.

Cloud Security Posture: Regularly audit cloud storage configurations, particularly S3 buckets and similar services. Implement proper access controls, versioning, and backup strategies.

Behavioral Detection: Focus on detecting malicious behavior patterns rather than relying solely on signature-based detection. Unusual driver loading, security tool termination attempts, and abnormal encryption activity should trigger alerts.

TL;DR

- Reynolds ransomware bundles BYOVD defense evasion directly into the ransomware payload, streamlining attacks and reducing detection opportunities
- Exploits vulnerable NSecKrnl driver (CVE-2025-68947) to terminate security processes from multiple EDR vendors
- Part of broader ransomware evolution including cloud targeting, VM abuse, and professional extortion services
- 2025 saw 4,737 ransomware attacks with average Q4 payments reaching $591,988
- Organizations should focus on driver management, EDR hardening, network segmentation, and behavioral detection

Source: The Hacker News - Reynolds Ransomware Embeds BYOVD Driver to Disable EDR Security Tools