Cybersecurity researchers have disclosed details of an emergent ransomware family dubbed Reynolds that comes embedded with a built-in bring your own vulnerable driver (BYOVD) component for defense evasion purposes within the ransomware payload itself.
BYOVD refers to an adversarial technique that abuses legitimate but flawed driver software to escalate privileges and disable Endpoint Detection and Response (EDR) solutions so that malicious activities go unnoticed. The strategy has been adopted by many ransomware groups over the years.
“Normally, the BYOVD defense evasion component of an attack would involve a distinct tool that would be deployed on the system prior to the ransomware payload in order to disable security software,” the Symantec and Carbon Black Threat Hunter Team said in a report shared with The Hacker News. “However, in this attack, the vulnerable driver (an NsecSoft NSecKrnl driver) was bundled with the ransomware itself.”
Broadcom’s cybersecurity teams noted that this tactic of bundling a defense evasion component within the ransomware payload is not novel, and that it has been observed in a Ryuk ransomware attack in 2020 and in an incident involving a lesser-known ransomware family called Obscura in late August 2025.
In the Reynolds campaign, the ransomware is designed to drop a vulnerable NsecSoft NSecKrnl driver and terminate processes associated with various security programs from Avast, CrowdStrike Falcon, Palo Alto Networks Cortex XDR, Sophos (along with HitmanPro.Alert), and Symantec Endpoint Protection, among others.
It’s worth noting that the NSecKrnl driver is susceptible to a known security flaw (CVE-2025-68947, CVSS score: 5.7) that could be exploited to terminate arbitrary processes. Notably, the driver has been put to use by a threat actor known as Silver Fox in attacks designed to kill endpoint security tools prior to delivering ValleyRAT.
Over the past year, the hacking group has previously wielded multiple legitimate but flawed drivers – including truesight.sys and amsdk.sys – as part of BYOVD attacks to disarm security programs.
By bringing together defense evasion and ransomware capabilities into one component, it makes it harder for defenders to stop the attack, not to mention obviating the need for an affiliate to separately incorporate this step into their modus operandi.
“Also of note in this attack campaign was the presence of a suspicious side-loaded loader on the target’s network several weeks prior to the ransomware being deployed,” Symantec and Carbon Black said. “Also of note in this attack campaign was the presence of a suspicious side-loaded loader on the target’s network several weeks prior to the ransomware being deployed.”
Another tool deployed on the target network a day after the ransomware deployment was the GotoHTTP remote access program, indicating that the attackers may be looking to maintain persistent access to the compromised hosts.
“BYOVD is popular with attackers due to its effectiveness and reliance on legitimate, signed files, which are less likely to raise red flags,” the company said.
“The advantages of wrapping the defense evasion capability in with the ransomware payload, and the reason ransomware actors might do this, may include the fact that packaging the defense evasion binary and the ransomware payload together is “quieter”, with no separate external file dropped on the victim network.”
The finding coincides with various ransomware-related developments in recent weeks –
- A high-volume phishing campaign has used emails with Windows shortcut (LNK) attachments to run PowerShell code that fetches a Phorpiex dropper, which is then used to deliver the GLOBAL GROUP ransomware. The ransomware is notable for carrying out all activity locally on the compromised system, making it compatible with air‑gapped environments. It also conducts no data exfiltration.
- Attacks mounted by WantToCry have abused virtual machines (VMs) provisioned by ISPsystem, a legitimate virtual infrastructure management provider, to host and deliver malicious payloads at scale. Some of the hostnames have been identified in the infrastructure of multiple ransomware operators, including LockBit, Qilin, Conti, BlackCat, and Ursnif, as well as various malware campaigns involving NetSupport RAT, PureRAT, Lampion, Lumma Stealer, and RedLine Stealer.
- It’s assessed that bulletproof hosting providers are leasing ISPsystem virtual machines to other criminal actors for use in ransomware operations and malware delivery by exploiting a design weakness in VMmanager’s default Windows templates that reuse the same static hostname and system identifiers every time they are deployed. This, in turn, allows threat actors to set up thousands of VMs with the same hostname and complicate takedown efforts.
- DragonForce has created a “Company Data Audit” service to support affiliates during extortion campaigns as part of the continued professionalization of ransomware operations. “The audit includes a detailed risk report, prepared communication materials, such as call scripts and executive-level letters, and strategic guidance designed to influence negotiations,” LevelBlue said. DragonForce operates as a cartel that allows affiliates to create their own brands while operating under its umbrella and gaining access to its resources and services.
- The latest iteration of LockBit, LockBit 5.0, has been found to use ChaCha20 to encrypt files and data across Windows, Linux, and ESXi environments, a shift from the AES-based encryption approach in LockBit 2.0 and LockBit 3.0. In addition, the new version features a wiper component, an option to delay execution prior to encryption, track status of encryption using a progress bar, improved anti-analysis techniques to evade detection, and enhanced in-memory execution to minimize disk traces.
- The Interlock ransomware group has continued its assault on U.K.- and U.S.-based organizations, particularly in the education sector, in one case leveraging a zero-day vulnerability in the “GameDriverx64.sys” gaming anti-cheat driver (CVE-2025-61155, CVSS score: 5.5) to disable security tools in a BYOVD attack. The attack is also characterized by the deployment of NodeSnake/Interlock RAT (aka CORNFLAKE) to steal sensitive data, while initial access is said to have originated from a MintLoader infection.
- Ransomware operators have been observed increasingly shifting their focus from traditional on-premises targets to cloud storage services, especially misconfigured S3 buckets used by Amazon Web Services (AWS), with the attacks leaning on native cloud features to delete or overwrite data, suspend access, or extract sensitive content, while simultaneously staying under the radar.
According to data from Cyble, GLOBAL GROUP is one of the many ransomware crews that sprang forth in 2025, the others being Devman, DireWolf, NOVA, J group, Warlock, BEAST, Sinobi, NightSpire, and The Gentlemen. In Q4 2025 alone, Sinobi’s data leak site listings increased 306%, making it the third-most active ransomware group after Qilin and Akira, per ReliaQuest.
“Meanwhile, the return of LockBit 5.0 was one of Q4’s biggest shifts, driven by a late-quarter spike that saw the group list 110 organizations in December alone,” researcher Gautham Ashok said. “This output signals a group that can scale execution quickly, convert intrusions into impact, and sustain an affiliate pipeline capable of operating at volume.”
The emergence of new players, combined with partnerships forged between existing groups, has led to a spike in ransomware activity. Ransomware actors claimed a total of 4,737 attacks during 2025, up from 4,701 in 2024. The number of attacks that don’t involve encryption and instead rely purely on data theft as a means to exert pressure reached 6,182 during the same period, a 23% increase from 2024.
As for the average ransom payment, the figure stood at $591,988 in Q4 2025, a 57% jump from Q3 2025, driven by a small number of “outsized settlements,” Coveware said in its quarterly report last week, adding threat actors may return to their “data encryption roots” for more effective leverage to extract ransoms from victims.
Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post.