Reynolds Ransomware Embeds BYOVD Driver to Disable EDR Security Tools

Cybersecurity researchers have uncovered a new ransomware family called Reynolds that embeds a vulnerable driver directly within its payload to disable endpoint detection and response (EDR) tools, marking a concerning evolution in ransomware defense evasion tactics.

BYOVD Technique Embedded Directly in Ransomware Payload

The Reynolds ransomware comes with a built-in bring your own vulnerable driver (BYOVD) component, a technique that abuses legitimate but flawed driver software to escalate privileges and disable security solutions. This approach allows malicious activities to go unnoticed by endpoint protection systems.

"Normally, the BYOVD defense evasion component of an attack would involve a distinct tool that would be deployed on the system prior to the ransomware payload in order to disable security software," the Symantec and Carbon Black Threat Hunter Team explained. "However, in this attack, the vulnerable driver (an NsecSoft NSecKrnl driver) was bundled with the ransomware itself."

The NsecSoft NSecKrnl driver is susceptible to a known security flaw (CVE-2025-68947, CVSS score: 5.7) that could be exploited to terminate arbitrary processes. This driver has been previously used by the Silver Fox threat actor to kill endpoint security tools before delivering ValleyRAT malware.

Multiple Security Programs Targeted

Once deployed, the Reynolds ransomware drops the vulnerable driver and terminates processes associated with various security programs, including:

• Avast
• CrowdStrike Falcon
• Palo Alto Networks Cortex XDR
• Sophos (including HitmanPro.Alert)
• Symantec Endpoint Protection

This bundling of defense evasion capabilities directly within the ransomware payload represents a shift from traditional attack patterns where these components would be deployed separately.

Pre-Attack Infrastructure and Persistence

Researchers noted the presence of a suspicious side-loaded loader on target networks several weeks before ransomware deployment, suggesting a multi-stage attack approach. Additionally, the GotoHTTP remote access program was deployed on target networks a day after ransomware deployment, indicating attackers' intent to maintain persistent access to compromised hosts.

"BYOVD is popular with attackers due to its effectiveness and reliance on legitimate, signed files, which are less likely to raise red flags," Symantec and Carbon Black noted. "Packaging the defense evasion binary and the ransomware payload together is 'quieter,' with no separate external file dropped on the victim network."

Broader Ransomware Landscape Developments

The Reynolds discovery comes amid several significant ransomware-related developments:

GLOBAL GROUP Ransomware Campaign

High-volume phishing campaigns have used Windows shortcut (LNK) attachments to run PowerShell code that fetches a Phorpiex dropper, which then delivers GLOBAL GROUP ransomware. This ransomware operates entirely locally on compromised systems, making it compatible with air-gapped environments and conducting no data exfiltration.

ISPsystem VM Abuse

WantToCry and other ransomware operators have abused virtual machines (VMs) provisioned by ISPsystem, a legitimate virtual infrastructure management provider. These VMs are being used to host and deliver malicious payloads at scale. The abuse exploits a design weakness in VMmanager's default Windows templates that reuse the same static hostname and system identifiers, allowing threat actors to set up thousands of VMs with identical identifiers to complicate takedown efforts.

DragonForce Professionalization

DragonForce has created a "Company Data Audit" service to support affiliates during extortion campaigns. This service includes detailed risk reports, prepared communication materials, and strategic guidance designed to influence negotiations. DragonForce operates as a cartel allowing affiliates to create their own brands while accessing shared resources and services.

LockBit 5.0 Evolution

The latest iteration of LockBit, version 5.0, has shifted from AES-based encryption to ChaCha20 for encrypting files across Windows, Linux, and ESXi environments. New features include a wiper component, delayed execution options, progress tracking, improved anti-analysis techniques, and enhanced in-memory execution to minimize disk traces.

Interlock Ransomware's Zero-Day Exploitation

The Interlock ransomware group has continued targeting U.K. and U.S. organizations, particularly in education. They've leveraged a zero-day vulnerability in the "GameDriverx64.sys" gaming anti-cheat driver (CVE-2025-61155, CVSS score: 5.5) to disable security tools in BYOVD attacks, while deploying NodeSnake/Interlock RAT for data theft.

Cloud Storage Targeting

Ransomware operators are increasingly shifting focus from traditional on-premises targets to cloud storage services, especially misconfigured S3 buckets used by Amazon Web Services. These attacks leverage native cloud features to delete or overwrite data, suspend access, or extract sensitive content while staying under the radar.

2025 Ransomware Activity Trends

According to Cyble data, 2025 saw the emergence of numerous new ransomware groups including Devman, DireWolf, NOVA, J group, Warlock, BEAST, Sinobi, NightSpire, and The Gentlemen. In Q4 2025 alone, Sinobi's data leak site listings increased 306%, making it the third-most active ransomware group after Qilin and Akira.

LockBit's return with version 5.0 was particularly notable, with the group listing 110 organizations in December alone. This output signals a group capable of scaling execution quickly and sustaining an affiliate pipeline capable of operating at volume.

Ransomware actors claimed a total of 4,737 attacks during 2025, up from 4,701 in 2024. The number of attacks relying purely on data theft (without encryption) reached 6,182 during the same period, a 23% increase from 2024. Average ransom payments stood at $591,988 in Q4 2025, a 57% jump from Q3 2025, driven by a small number of "outsized settlements."

These trends suggest that threat actors may return to their "data encryption roots" for more effective leverage to extract ransoms from victims, as encryption-based attacks have proven more successful in forcing payments compared to pure data theft operations.