Reynolds Ransomware Bundles Vulnerable Driver to Kill EDRs — Technical Readout and Source Links

Cybersecurity researchers have identified a new ransomware family called Reynolds that embeds a bring-your-own-vulnerable-driver (BYOVD) component directly into its malware payload. This technique lets attackers disable endpoint detection and response (EDR) tools before encryption begins, increasing the chance of a successful attack.

In a report by Broadcom’s Symantec and Carbon Black Threat Hunter Team, Reynolds was found to bundle a vulnerable kernel-mode driver called NSecSoft NSecKrnl inside the ransomware itself, rather than deploying the driver separately. This embedded defense-evasion tactic helps the malware terminate security processes and persist undetected longer.

“A vulnerable driver (an NsecSoft NSecKrnl driver) was bundled with the ransomware itself,” the Symantec and Carbon Black Threat Hunter Team wrote in its analysis of Reynolds ransomware.

Threat actors have used BYOVD techniques for years to bypass security products by abusing weaknesses in legitimate, signed drivers. What makes Reynolds notable is the fusion of ransomware deployment with defense evasion in a single payload, reducing the window defenders have to detect and block the attack.

How Reynolds Uses BYOVD to Evade Security

Bring-your-own-vulnerable-driver (BYOVD) attacks rely on legitimate but flawed drivers that run with high system privileges. Once loaded, these drivers can be manipulated to:

• Elevate attacker privileges to SYSTEM level.
• Disable or kill processes for popular security tools.
• Undermine endpoint detection and response products.
• Reduce detection signals that normally trigger alerts.

In the Reynolds campaign, the NSecKrnl driver is exploited through a known flaw tracked as CVE-2025-68947, which allows arbitrary process termination without proper permission checks.

The ransomware drops the NSecKrnl driver and asks the operating system to install it as a service. The driver is then abused to kill processes linked to security products such as:

• Microsoft Defender
• CrowdStrike Falcon
• Avast antivirus
• Symantec Endpoint Protection
• Sophos utilities

This cleanup of security processes weakens defenses before file encryption starts, giving attackers more time to carry out their mission.

Why This Matters for Enterprise Security

Ransomware has evolved beyond simple file encryption. Modern variants increasingly incorporate stealthy evasion techniques like BYOVD to cripple defenses before causing damage.

Embedding a vulnerable driver directly in the ransomware payload is unusual, but it reflects wider trends in ransomware tradecraft. According to industry analysts, attackers prefer this integrated approach because it avoids dropping separate files that defenders might detect and block.

“If there is no gap between the defense evasion tool being deployed and the ransomware being dropped, there is no opportunity for defenders to stop the attack,” the Symantec and Carbon Black Threat Hunter Team noted.

This tactic also lowers the barrier for ransomware operators and affiliates by eliminating the need to tailor separate evasion tools. It may accelerate attacks and reduce the chances of early detection on enterprise endpoints.

How BYOVD Works in Practice

Step	Action
Driver Deployment	Reynolds drops the NSecSoft NSecKrnl driver along with the ransomware executable.
Driver Installation	The malware creates a service entry for the vulnerable driver to load at boot or run time.
Process Termination	Exploiting CVE-2025-68947, the driver is manipulated to kill EDR/security processes.
Ransomware Execution	With defenses suppressed, file encryption or other payload actions occur with reduced interference.
Post-Attack Activity	In some cases, remote access tools such as GotoHTTP were seen on networks after ransomware execution. (security.com)

Typical Security Tools Targeted by Reynolds

• Microsoft Defender Antivirus
• Symantec Endpoint Protection
• CrowdStrike Falcon
• Sophos Endpoint Security
• Avast Security Suite
• ESET Endpoint Protection

By terminating these processes, attackers reduce the likelihood of alerts or blocks that would normally slow or stop the intrusion.

Broader Ransomware Trends Impacting Defenders

Reynolds is not the only ransomware strain using BYOVD or similar evasion methods. Other ransomware families have weaponized drivers and post-exploit evasion techniques in recent years as part of multi-stage attacks.

Examples of Related Tactics

• Ryuk ransomware used BYOVD components in a 2020 campaign to disable security tools before encryption.
• Lesser-known variants like Obscura also integrated drivers for defense evasion in 2025.
• EnCase digital forensics drivers have been misused as EDR killers in separate incidents reported by security researchers.

These examples show that ransomware actors are refining their approaches by merging evasion tactics and payloads in creative ways that challenge traditional endpoint defenses.

Risk Mitigation and Defense Strategies

To defend against Reynolds-style BYOVD ransomware attacks, enterprises should:

• Harden driver loading policies by disabling unsigned or vulnerable drivers where possible.
• Enable kernel-level driver blocklists such as Windows Defender’s Vulnerable Driver Blocklist.
• Use multi-layered endpoint security that combines behavior analytics with signature detection.
• Implement application allow-listing to prevent unauthorized driver installations.
• Continuously monitor for suspicious services or newly installed drivers on endpoints.

Proactive monitoring and strict driver management help reduce the risk of attackers abusing legitimate system components for malicious purposes.

FAQ: Reynolds Ransomware and BYOVD