Article Details

Reynolds Ransomware Embeds BYOVD Driver to Disable EDR Security Tools. Cybersecurity researchers have disclosed details of an emergent ransomware family dubbed Reynolds that comes embedded with a built-in bring your own vulnerable driver (BYOVD) component for defense evasion purposes within the ransomware payload itself. BYOVD refers to an adversarial technique that abuses legitimate but flawed driver software to escalate privileges and disable Endpoint Detection and Response (EDR) solutions so that malicious activities go unnoticed. The strategy has been adopted by many ransomware groups over the years. "Normally, the BYOVD defense evasion component of an attack would involve a distinct tool that would be deployed on the system prior to the ransomware payload in order to disable security software," the Symantec and Carbon Black Threat Hunter Team said in a report shared with The Hacker News. "However, in this attack, the vulnerable driver (an NsecSoft NSecKrnl driver) was bundled with the ransomware itself." Broadcom's cybersecurity teams noted that this tactic of bundling a defense evasion component within the ransomware payload is not novel, and that it has been observed in a Ryuk ransomware attack in 2020 and in an incident involving a lesser-known ransomware family called Obscura in late August 2025. In the Reynolds campaign, the ransomware is designed to drop a vulnerable NsecSoft NSecKrnl driver and terminate processes associated with various security programs from Avast, CrowdStrike Falcon, Palo Alto Networks Cortex XDR, Sophos (along with HitmanPro.Alert), and Symantec Endpoint Protection, among others. It's worth noting that the NSecKrnl driver is susceptible to a known security flaw (CVE-2025-68947, CVSS score: 5.7) that could be exploited to terminate arbitrary processes. Notably, the driver has been put to use by a threat actor known as Silver Fox in attacks designed to kill endpoint security tools prior to delivering ValleyRAT.  Over the past year, the hacking group has previously wielded multiple legitimate but flawed drivers – including truesight.sys and amsdk.sys – as part of BYOVD attacks to disarm security programs. By bringing together defense evasion and ransomware capabilities into one component, it makes it harder for defenders to stop the attack, not to mention obviating the need for an affiliate to separately incorporate this step into their modus operandi. "Also of note in this attack campaign was the presence of a suspicious side-loaded loader on the target's network several weeks prior to the ransomware being deployed," Symantec and Carbon Black said. "Also of note in this attack campaign was the presence of a suspicious side-loaded loader on the target's network several weeks prior to the ransomware being deployed." Another tool deployed on the target network a day after the ransomware deployment was the GotoHTTP remote access program, indicating that the attackers may be looking to maintain persistent access to the compromised hosts. "BYOVD is popular with attackers due to its effectiveness and reliance on legitimate, signed files, which are less likely to raise red flags," the company said. "The advantages of wrapping the defense evasion capability in with the ransomware payload, and the reason ransomware actors might do this, may include the fact that packaging the defense evasion binary and the ransomware payload together is “quieter”, with no separate external file dropped on the victim network." The finding coincides with various ransomware-related developments in recent weeks - According to data from Cyble, GLOBAL GROUP is one of the many ransomware crews that sprang forth in 2025, the others being Devman, DireWolf, NOVA, J group, Warlock, BEAST, Sinobi, NightSpire, and The Gentlemen. In Q4 2025 alone, Sinobi's data leak site listings increased 306%, making it the third-most active ransomware group after Qilin and Akira, per ReliaQuest. "Meanwhile, the return of LockBit 5.0 was one of Q4's biggest shifts, driven by a late-quarter spike that saw the group list 110 organizations in December alone," researcher Gautham Ashok said. "This output signals a group that can scale execution quickly, convert intrusions into impact, and sustain an affiliate pipeline capable of operating at volume." The emergence of new players, combined with partnerships forged between existing groups, has led to a spike in ransomware activity. Ransomware actors claimed a total of 4,737 attacks during 2025, up from 4,701 in 2024. The number of attacks that don't involve encryption and instead rely purely on data theft as a means to exert pressure reached 6,182 during the same period, a 23% increase from 2024. As for the average ransom payment, the figure stood at $591,988 in Q4 2025, a 57% jump from Q3 2025, driven by a small number of "outsized settlements," Coveware said in its quarterly report last week, adding threat actors may return to their "data encryption roots" for more effective leverage to extract ransoms from victims.