Full Report
Cybersecurity researchers have disclosed details of an emergent ransomware family dubbed Reynolds that comes embedded with a built-in bring your own vulnerable driver (BYOVD) component for defense evasion purposes within the ransomware payload itself. BYOVD refers to an adversarial technique that abuses legitimate but flawed driver software to escalate privileges and disable Endpoint Detection
Analysis Summary
# Tool/Technique: Reynolds Ransomware with Embedded BYOVD
## Overview
Reynolds is an emergent ransomware family distinguished by its integration of a Bring Your Own Vulnerable Driver (BYOVD) component directly within the ransomware payload. Its primary purpose is defense evasion, specifically to escalate privileges and disable Endpoint Detection and Response (EDR) solutions to ensure the malicious activities proceed unnoticed.
## Technical Details
- Type: Malware family (Ransomware)
- Platform: Windows (Inferred, as EDR/driver interactions are typical of Windows environments)
- Capabilities: Privilege escalation, defense evasion, EDR process termination, file encryption (implied by 'ransomware').
- First Seen: Emergent (Date of article is Feb 10, 2026)
## MITRE ATT&CK Mapping
- TA0005 - Defense Evasion
- T1216 - Execution through Developer Software
- T1216.002 - Bring Your Own Vulnerable Driver
- T1055 - Process Injection (Implied use of driver to manipulate privileged operations)
- TA0004 - Privilege Escalation
- T1203 - Exploitation for Privilege Escalation (Utilizing the known flaw in the bundled driver)
- TA0011 - Command and Control (Implied by subsequent deployment of persistent access tool)
## Functionality
### Core Capabilities
- **Defense Evasion:** Uses a bundled, legitimate but flawed driver to subvert security controls.
- **Privilege Escalation:** Exploits the vulnerable driver to gain necessary permissions for disabling security software.
- **Security Tool Termination:** Explicitly terminates processes related to security products including Avast, CrowdStrike Falcon, Palo Alto Networks Cortex XDR, Sophos (with HitmanPro.Alert), and Symantec Endpoint Protection.
### Advanced Features
- **Self-Contained Evasion:** Unlike typical attacks where BYOVD is deployed separately, Reynolds bundles the defense evasion driver (NsecSoft NSecKrnl driver) within the ransomware payload, making the operation "quieter" and removing the need for an affiliate to stage the evasion step separately.
- **Vulnerable Driver Use:** Specifically uses the **NsecSoft NSecKrnl driver**, leveraging known flaw **CVE-2025-68947** (CVSS 5.7) to terminate arbitrary processes.
- **Post-Exploitation Persistence:** Deployment of the **GotoHTTP** remote access program one day after ransomware deployment suggests an interest in maintaining persistent access.
- **Precursor Activity:** Evidence of a suspicious side-loaded loader on the network several weeks before ransomware deployment, indicating staged access.
## Indicators of Compromise
- File Hashes: [Not explicitly provided in the context]
- File Names: NsecSoft NSecKrnl driver (bundled component)
- Registry Keys: [Not explicitly provided in the context]
- Network Indicators: [Not explicitly provided in the context, but GotoHTTP was deployed later]
- Behavioral Indicators: Attempting to load or utilize the NsecSoft NSecKrnl driver; termination of EDR/AV related processes (Avast, CrowdStrike, Cortex XDR, Sophos, Symantec).
## Associated Threat Actors
- Associated with threat actors who have previously used BYOVD tactics, specifically mentioning the threat actor **Silver Fox** (who previously used this technique with the NsecKrnl driver to deploy ValleyRAT, and used other drivers like `truesight.sys` and `amsdk.sys`).
- Historical precedent for bundling defense evasion noted in **Ryuk Ransomware (2020)** and **Obscura Ransomware (Late August 2025)**.
## Detection Methods
- Signature-based detection: Signature development for the Reynolds executable payload.
- Behavioral detection: Monitoring for attempts to load or execute kernel-mode drivers from unexpected locations, especially those intended to disable security products. Monitoring for process termination related to major EDR/AV vendors.
- YARA rules: YARA rules targeting unique strings or structural elements related to the bundled NsecSoft NSecKrnl driver within the main payload.
## Mitigation Strategies
- **Digital Driver Signing Enforcement:** Strict policies to only load drivers signed by trusted authorities (this mitigates leveraging older, flawed but signed drivers).
- **Patching:** Ensuring systems are patched against known vulnerable drivers, specifically **CVE-2025-68947**.
- **EDR Hardening:** Configuring Endpoint Detection and Response solutions to severely restrict or block the loading of non-whitelisted drivers or drivers known to exhibit malicious behavior patterns.
- **Process Monitoring:** Implement controls to detect and alert on the termination of security-related processes (Avast, CrowdStrike, etc.).
- **Loader Detection:** Investigate and remediate suspicious side-loaded loaders observed in precursor activity.
## Related Tools/Techniques
- Bring Your Own Vulnerable Driver (BYOVD) Technique
- NsecSoft NSecKrnl Driver (Specific abused component)
- GotoHTTP (Used for follow-on persistence)
- Ryuk Ransomware (Historical context for bundling Evasion)
- Obscura Ransomware (Historical context for bundling Evasion)