Cybersecurity researchers have revealed details of an emerging ransomware family called Reynolds comes embedded with a built-in bring your own vulnerable driver (BYOVD) component for the purpose of avoiding protection within the payload of the ransomware itself.
BYOVD refers to an adversarial technique that exploits legitimate but flawed driver software to elevate privileges and disable Point-of-Date Detection and Response (EDR) solutions so that malicious activities are overlooked. The strategy has been adopted by many ransomware groups over the years.
“Typically, the BYOVD security component to avoid attacks will include a separate tool that will be used on the system before the ransomware is loaded to disable the security software,” Symantec and Carbon Black Threat Hunter Team said in a report shared with Hacker News. “However, in this attack, the vulnerable driver (the NsecSoft NSecKrnl driver) is bundled with the ransomware itself.”
Cybersecurity teams at Broadcom noted that this tactic of incorporating an evasion component into a ransomware payload is not novel, and that it was seen in the Ryuk ransomware attack in 2020 and in an incident involving a little-known ransomware family called Obscura in late August 2025.
In the Reynolds campaign, the ransomware is designed to knock down the vulnerable NsecSoft NSecKrnl driver and disable processes associated with various security systems from Avast, CrowdStrike Falcon, Palo Alto Networks Cortex XDR, Sophos (and HitmanPro.Alert), and Symantec Endpoint Protection, among others.
It is worth noting that the NSecKrnl driver is vulnerable to a known security flaw (CVE-2025-68947, CVSS score: 5.7) that could be used to terminate malicious processes. Notably, the driver was used by a threat actor known as Silver Fox in an attack designed to kill security tools before delivering ValleyRAT.
Last year, a group of hackers previously used several legitimate but flawed drivers – including truesight.sys and amsdk.sys – as part of a BYOVD attack to hijack security systems.
By combining protection evasion and ransomware capabilities into a single component, it makes it difficult for defenders to stop an attack, not to mention bypassing the need for an affiliate to integrate this step separately into their modus operandi.
“One notable aspect of this attack campaign is the presence of a suspicious payload that was side-loaded onto the target’s network several weeks before the ransomware was deployed,” said Symantec and Carbon Black. “One notable aspect of this attack campaign is the presence of a suspicious payload that was side-loaded onto the target’s network several weeks before the ransomware was deployed.”
Another tool deployed on the target network the day after the ransomware was released was the GotoHTTP remote access program, indicating that attackers may be looking to maintain persistent access to vulnerable hosts.
“BYOVD is favored by attackers because of its efficiency and reliance on legitimate, signed files, which are less likely to raise red flags,” the company said.
“The benefits of bundling protection evasion capabilities with ransomware payloads, and the reason ransomware players may do this, may include the fact that packaging a protection evasion binary and a ransomware payload together is “silent”, no separate external file is dropped on the victim’s network.”
These findings are in line with various ransomware-related developments in recent weeks –
- The phishing campaign used emails with Windows shortcuts (LNK) to execute PowerShell code that downloaded the Phorpiex dropper, which was then used to deliver the GLOBAL GROUP ransomware. Ransomware is characterized by doing all the work locally on the vulnerable system, making it compatible with air-gapped environments. And it doesn’t do data extraction.
- The attack mounted by WantToCry exploited virtual machines (VMs) provided by ISPsystem, a legitimate provider of virtual infrastructure management, to host and deliver malicious payloads at scale. Other hostnames have been identified in the infrastructure of many ransomware users, including LockBit, Qilin, Conti, BlackCat, and Ursnif, and various malware campaigns including NetSupport RAT, PureRAT, Lampion, Lumma Stealer, and RedLine Stealer.
- It is being tested that coin-optimal hosting providers are leasing ISPsystem virtual machines to other criminal actors for use in ransomware operations and malware delivery by exploiting a design weakness in Windows’ default VMmanager templates that reuse the same static hostname and system identifiers every time they are used. This, in turn, allows malicious actors to configure thousands of VMs with the same hostname and confound takedown attempts.
- DragonForce has created a “Company Data Audit” service to support its affiliates during extortion campaigns as part of the technological advancement of ransomware operations. “This research includes a detailed risk report, tailored communication tools, such as call scripts and high-quality letters, and strategic guidance designed to influence conversations,” LevelBlue said. DragonForce serves as a vehicle that allows affiliates to create their own brands while operating under its umbrella and gaining access to its services and resources.
- The latest iteration of LockBit, LockBit 5.0, was found to use ChaCha20 to encrypt files and data across Windows, Linux, and ESXi environments, which is a change from the AES-based encryption method in LockBit 2.0 and LockBit 3.0. In addition, the new version includes a wiper component, an option for artificial delay before encryption, tracking the encryption status using the progress bar, improved anti-analysis techniques to avoid detection, and in-memory optimization to reduce disk tracking.
- The Interlock ransomware group continued its attacks on UK- and US-based organizations, especially in the education sector, sometimes using a zero-day vulnerability in the “GameDriverx64.sys” anti-cheat driver (CVE-2025-61155, CVSS score: 5.5) to disable BYOVD security tools. The attack is also seen with the deployment of the NodeSnake/Interlock RAT (also known as CORNFLAKE) to steal sensitive data, while the first access is said to have come from a MintLoader infection.
- Ransomware operators have been seen increasingly shifting their focus from traditional on-premise storage to cloud storage services, particularly the poorly configured S3 buckets used by Amazon Web Services (AWS), with attacks that rely on native cloud features to delete or overwrite data, temporarily suspend access, or extract sensitive content, while at the same time staying under the radar.
According to data from Cyble, GLOBAL GROUP is one of the many ransomware operators coming out in 2025, the others being Devman, DireWolf, NOVA, J group, Warlock, BEAST, Sinobi, NightSpire, and The Gentlemen. In Q4 2025 alone, the Sinobi data leak site’s inventory increased by 306%, making it the third most active ransomware group after Qilin and Akira, according to ReliaQuest.
“At the same time, the return of LockBit 5.0 was one of the biggest changes of Q4, driven by the spike at the end of the quarter that saw the group list 110 organizations in December alone,” said researcher Gautham Ashok. “This output shows a team that can scale execution quickly, turn engagement into impact, and maintain a membership pipeline that can work with volume.”
The emergence of new players, combined with relationships formed between existing groups, has led to an increase in ransomware activity. Ransomware actors claimed a total of 4,737 attacks in 2025, up from 4,701 in 2024. The number of attacks that do not involve encryption and instead rely solely on data theft as a means of applying pressure reached 6,182 during the same period, a 23% increase from 2024.
As for the average ransom payment, the figure stood at $591,988 in Q4 2025, a 57% jump from Q3 2025, driven by a small number of “illegal settlements,” Coveware said in its quarterly report last week, adding that threat actors may return to their “data encryption roots” for better ransom assistance.
