**Reynolds Ransomware Uses BYOVD Technique to Disable Security Before Encryption**

The cybersecurity landscape has witnessed yet another innovative tactic employed by threat actors in the form of Reynolds ransomware, which utilizes the Bring Your Own Vulnerable Driver (BYOVD) technique to disable security tools and evade detection before encryption.

Researchers at Broadcom initially attributed the attack to Black Basta due to similar tactics, but further analysis confirmed that the payload was indeed Reynolds, a new ransomware family. This campaign stands out because it embeds a BYOVD component directly inside the ransomware, rather than deploying a separate tool to disable security software.

The Reynolds ransomware drops the vulnerable NsecKrnl driver and creates a service to run it. It then abuses the driver's flaw (CVE-2025-68947) to kill security processes associated with major defense solutions, including Sophos, Symantec, Microsoft Defender, CrowdStrike, ESET, and Avast tools.

"The ransomware payload drops a vulnerable NsecSoft NSecKrnl driver and tries to create an NSecKrnl service. This driver is then exploited to kill processes," reads the report published by Broadcom.

The NSecKrnl driver is a Windows kernel-mode driver with a known critical security vulnerability (CVE-2025-68947), which allows a local, authenticated attacker to terminate processes owned by other users, including SYSTEM and Protected Processes, by issuing crafted Input/Output Control (IOCTL) requests to the driver.

The malware encrypts files and adds the ".locked" extension. Investigators also found a suspicious side-loaded loader weeks earlier and the GotoHTTP remote access tool after the attack, suggesting that the attackers may have kept access before and even after deploying the ransomware.

**A Growing Trend in Ransomware Attacks**

Ransomware groups have increasingly employed defense-evasion tactics to remain undetected. The most common method is BYOVD, where attackers load a signed but vulnerable driver, exploit it to gain higher privileges, and shut down security software.

This approach allows attackers to bypass traditional security measures and evade detection. By combining both components – the ransomware payload and the defense-evasion tool – attacks become quieter and faster, as attackers no longer need to drop a separate driver that defenders could detect and block.

**Implications for Security Vendors and Organizations**

The Reynolds ransomware campaign raises concerns that more ransomware groups may embed defense-evasion tools directly inside their payloads. This approach reduces steps and limits response time, making attacks even more challenging to mitigate.

Combining both components makes ransomware easier to deploy and more competitive in the criminal market. "Embedding more capabilities into the ransomware payload itself may also help act as a unique selling point for ransomware developers who are attempting to attract affiliates," concludes the report that includes Indicators of Compromise (IoCs).

As the cybersecurity landscape continues to evolve, organizations and security vendors must remain vigilant and adapt their strategies to counter these emerging threats.

**Follow us on social media:**

* Twitter: @securityaffairs * Facebook * Mastodon