Researchers discovered Reynolds ransomware, which uses BYOVD technique to disable security tools and evade detection before encryption.
Researchers found a new ransomware, named Reynolds, that implements the Bring Your Own Vulnerable Driver (BYOVD) technique to disable security tools and evade detection before encrypting systems.
Broadcom’s cybersecurity researchers initially attributed the attack to Black Basta due to similar tactics, but further analysis confirmed the payload was Reynolds, a new ransomware family. The campaign stands out because it embeds a bring-your-own-vulnerable-driver (BYOVD) component directly inside the ransomware. Instead of deploying a separate tool to disable security software, Reynolds bundles the vulnerable NsecSoft driver within its payload to evade detection.
Bring Your Own Vulnerable Driver (BYOVD) is an attack technique where threat actors use a legitimate but flawed driver to bypass security controls.
Instead of exploiting a new vulnerability, attackers install a signed, trusted driver that contains known security flaws. Because the driver is legitimately signed, Windows allows it to load. Once running, attackers exploit the driver’s weakness to:
- Bypass kernel-level protections
- Escalate privileges (gain SYSTEM-level access)
- Disable or tamper with EDR/antivirus tools
- Kill security processes
The Reynolds ransomware drops the vulnerable NsecKrnl driver and creates a service to run it. It then abuses the driver flaw (CVE-2025-68947) to kill security processes associated with major defense solutions, including Sophos, Symantec, Microsoft Defender, CrowdStrike, ESET, and Avast tools.
“The ransomware payload drops a vulnerable NsecSoft NSecKrnl driver and tries to create an NSecKrnl service. This driver is then exploited to kill processes.” reads the report published by Broadcom. “The NSecKrnl driver is a Windows kernel-mode driver with a known critical security vulnerability (CVE-2025-68947), which means that it fails to verify if a user has sufficient permissions before executing commands. This allows a local, authenticated attacker to terminate processes owned by other users, including SYSTEM and Protected Processes, by issuing crafted Input/Output Control (IOCTL) requests to the driver. “
The malware encrypts files and adds the “.locked” extension. Investigators also found a suspicious side-loaded loader weeks earlier and the GotoHTTP remote access tool after the attack, suggesting the attackers may have kept access before and even after deploying the ransomware.
In 2026, ransomware groups routinely disable antivirus and EDR tools before launching encryption. They added this step as security vendors improved early detection. The most common method is BYOVD, where attackers load a signed but vulnerable driver, exploit it to gain higher privileges, and shut down security software. Because the driver is legitimate and signed, it often avoids alerts. Popular tools include TrueSightKiller, GhostDriver, AuKill, Poortry, Gmer, and Warp AVKiller. Attackers sometimes use built-in Windows tools, but BYOVD remains their top defense-evasion tactic.
This campaign raises concerns that more ransomware groups may embed defense-evasion tools directly inside their payloads. Combining both components makes attacks quieter and faster, since attackers no longer need to drop a separate driver that defenders could detect and block. This approach reduces steps and limits response time. It may also attract affiliates, as bundled capabilities make ransomware easier to deploy and more competitive in the criminal market.
“Embedding more capabilities into the ransomware payload itself may also help act as a unique selling point for ransomware developers who are attempting to attract affiliates.” concludes the report that includes Indicators of Compromise (IoCs). “Having additional capabilities bundled with the ransomware payload may make ransomware attacks easier to carry out, as they would require less steps, potentially making such a payload more attractive to affiliates. “
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, Reynolds ransomware)
