Cybersecurity analysts have identified a newly emerging ransomware strain named Reynolds, notable for embedding a built-in Bring Your Own Vulnerable Driver (BYOVD) mechanism directly within its ransomware payload. This approach is designed to bypass endpoint security defenses before file encryption begins.
BYOVD is a well-known attacker technique that abuses legitimate but vulnerable kernel drivers to escalate privileges and disable Endpoint Detection and Response (EDR) solutions. Once security tools are neutralized, attackers can execute malicious actions with minimal resistance.
Embedded Driver-Based Defense Evasion
According to findings shared by the Symantec and Carbon Black Threat Hunter teams with The Hacker News, the Reynolds ransomware deviates from common attack patterns. Traditionally, threat actors deploy a separate tool to disable security software prior to launching ransomware. In this campaign, however, the vulnerable driver is bundled inside the ransomware itself.
The embedded driver is identified as NsecSoft NSecKrnl, a signed kernel driver that contains a known security flaw. By loading this driver, Reynolds can terminate security-related processes without triggering typical alerts.
Broadcom researchers noted that while embedding defense evasion logic is not entirely new, it remains relatively uncommon. Similar tactics were previously observed in a Ryuk ransomware incident in 2020 and later in attacks linked to the Obscura ransomware family in August 2025.
Targeted Security Solutions and Vulnerable Driver Abuse
Once deployed, the Reynolds ransomware drops the NSecKrnl driver and systematically disables processes linked to major security platforms. These include products from Avast, CrowdStrike Falcon, Palo Alto Networks Cortex XDR, Sophos and HitmanPro.Alert, as well as Symantec Endpoint Protection.
The abused driver is affected by CVE-2025-68947, a vulnerability with a CVSS score of 5.7 that allows attackers to terminate arbitrary processes at the kernel level. This same driver has previously been weaponized by a threat actor known as Silver Fox, which used it to shut down endpoint defenses before deploying ValleyRAT.
Over the past year, Silver Fox has also leveraged other vulnerable drivers such as truesight.sys and amsdk.sys, reinforcing the growing trend of driver-based security bypass techniques.
Why Bundling BYOVD Inside Ransomware Matters
Security researchers emphasize that combining defense evasion and ransomware execution into a single payload significantly complicates detection and response. This approach eliminates the need for affiliates to deploy a separate disabling tool, reducing operational complexity and lowering the attack’s visibility.
Symantec and Carbon Black also reported the presence of a suspicious side-loaded loader inside the victim environment weeks before the ransomware was activated. This suggests early-stage preparation and long-term persistence planning.
A day after the ransomware deployment, attackers were observed installing GotoHTTP, a remote access utility, indicating an attempt to maintain ongoing control over compromised systems.
Rising BYOVD Adoption Across Ransomware Campaigns
Researchers note that BYOVD remains attractive to attackers because it relies on legitimate, signed drivers that are less likely to be blocked by default security policies. Embedding the driver within the ransomware payload further reduces noise, as no additional external binaries need to be dropped.
Recent ransomware-related developments highlight the broader evolution of the threat landscape. These include phishing campaigns delivering ransomware via Windows shortcut files, abuse of cloud-hosted infrastructure for malware distribution, and increasing exploitation of virtual machine management weaknesses.
Threat intelligence reports also point to a growing professionalization of ransomware groups, with services such as negotiation assistance, data audits, and multi-platform encryption capabilities becoming standard features.
Ransomware Activity Continues to Accelerate
According to industry data, ransomware actors claimed responsibility for 4,737 attacks in 2025, up from 4,701 in 2024. Data-theft-only extortion incidents rose sharply to 6,182 cases, representing a 23 percent increase year over year.
Average ransom payments surged to $591,988 in Q4 2025, driven by a small number of high-value settlements. Analysts warn that attackers may increasingly revert to full encryption-based attacks to maximize pressure on victims.
The emergence of Reynolds ransomware, combined with its embedded BYOVD strategy, underscores the growing sophistication of modern ransomware operations and the urgent need for proactive driver monitoring and kernel-level defense controls.
Found this article interesting? Follow us on X (Twitter) , Facebook, Blue sky and LinkedIn to read more exclusive content we post.
