Cybersecurity experts have identified a new ransomware strain, named Reynolds, which integrates a novel defense evasion tactic through a built-in Bring Your Own Vulnerable Driver (BYOVD) component. This technique allows the malware to disable security measures and evade detection effectively by exploiting legitimate drivers within its payload.
BYOVD is a method where attackers utilize legitimate but flawed driver software to escalate privileges, thus neutralizing Endpoint Detection and Response (EDR) systems. This strategy has gained traction among various ransomware groups over the years, as evidenced by reports documenting its increasing use in high-profile attacks.
According to a report from Symantec and Carbon Black Threat Hunter Team, the unique aspect of the Reynolds attack is that the vulnerable driver—identified as the NsecSoft NSecKrnl driver—is packed along with the ransomware itself. Typically, a separate tool would be used to disable security software prior to the ransomware’s deployment, but Reynolds streamlines this process by integrating both functionalities.
Broadcom’s cybersecurity teams noted that embedding a defense evasion component within the ransomware payload isn’t entirely unprecedented. Similar tactics were observed in earlier attacks, such as the notorious Ryuk ransomware incident in 2020. The Reynolds campaign specifically targets a range of security programs, including residential names like Avast, CrowdStrike Falcon, and Palo Alto Networks Cortex XDR, among others.
Despite the challenges posed by this ransomware, cybersecurity vendor Sophos mentioned it had already implemented protections against the NsecKrnl driver since November 2025, asserting that its proactive approaches have effectively shielded its customers from this particular threat.
The NSecKrnl driver carries a known vulnerability (CVE-2025-68947) rated with a CVSS score of 5.7, which attackers can exploit to terminate arbitrary processes. Its prior use by the threat actor known as Silver Fox exemplifies the potential dangers tied to this strain, particularly in preemptive actions taken against endpoint security tools.
While the deployment of Reynolds appears to be focused on the cybercriminal landscape, significant implications arise for the sectors targeted, which span various industries. Notably, the attackers appear to have sustained access to the compromised networks, following their ransomware deployment with additional tools like GotoHTTP, indicating a desire for persistent access.
This incident underscores the evolving tactics employed by ransomware actors, particularly their reliance on manipulating legitimate software components to achieve malicious objectives. The MITRE ATT&CK framework suggests that tactics such as initial access and privilege escalation are central to the methods used in these attacks. This highlights the importance for organizations to maintain robust security postures, integrating comprehensive software updates and behavior monitoring to detect increasingly sophisticated threats.
As the cybersecurity landscape continues to evolve with these multifaceted attacks, it is imperative for businesses to remain informed and vigilant, proactively reinforcing their defenses to combat the growing ransomware menace.