Security researchers have uncovered a new ransomware strain known as Reynolds that takes defense evasion a step further by embedding a vulnerable driver directly inside its payload. This approach allows the malware to disable endpoint security tools before encryption begins, increasing the likelihood of a successful attack.
The technique used is known as Bring Your Own Vulnerable Driver (BYOVD). It exploits legitimate but flawed kernel drivers to gain elevated privileges and shut down Endpoint Detection and Response (EDR) products. While BYOVD itself is not new, Reynolds stands out by integrating this capability directly into the ransomware rather than deploying it as a separate stage.
According to analysis from Symantec and the Carbon Black Threat Hunter team, the Reynolds payload drops a vulnerable NsecSoft NSecKrnl driver as part of the infection chain. Once installed, the driver is abused to terminate processes linked to major security platforms, including tools from Avast, CrowdStrike Falcon, Palo Alto Networks Cortex XDR, Sophos, HitmanPro.Alert, and Symantec Endpoint Protection.
The driver in question is affected by a known vulnerability tracked as CVE-2025-68947, which allows attackers to kill arbitrary processes. This same driver has previously been used by the threat actor known as Silver Fox to disable endpoint defenses before deploying ValleyRAT. Over time, Silver Fox has relied on several other flawed drivers, such as truesight.sys and amsdk.sys, to carry out similar attacks.
By combining ransomware delivery and defense evasion into a single component, Reynolds reduces the number of visible artifacts on a victim’s system. This makes detection harder and removes the need for affiliates to deploy additional tools during the attack.
Researchers also noted signs of preparation before the ransomware was launched. A suspicious side-loaded loader was detected on the affected network weeks ahead of encryption. Shortly after the ransomware execution, attackers deployed the GotoHTTP remote access tool, suggesting an attempt to maintain persistence even after the initial compromise.
BYOVD continues to appeal to attackers because it relies on signed, legitimate drivers that are less likely to be blocked by default security controls. Packaging the driver exploit together with the ransomware also makes the operation quieter, with fewer standalone binaries that might trigger alerts.
The Reynolds discovery comes amid a surge in ransomware-related activity across multiple fronts. Recent campaigns have included phishing emails using Windows shortcut files to deploy GLOBAL GROUP ransomware, abuse of legitimate virtual machine infrastructure to host malware, and the expansion of ransomware-as-a-service ecosystems offering negotiation and extortion support to affiliates.
Other notable trends include ransomware operators shifting toward cloud environments, particularly misconfigured AWS S3 buckets, where attackers can delete or overwrite data using native cloud features while avoiding traditional endpoint defenses.
Data from multiple threat intelligence sources shows that ransomware activity continued to grow throughout 2025. New groups emerged rapidly, existing operators scaled their campaigns, and data theft-only extortion became more common. At the same time, average ransom payments rose sharply, driven by a small number of high-value settlements.
Taken together, the emergence of Reynolds highlights how ransomware operators are refining their tooling to bypass defenses more efficiently. As attackers continue to merge privilege escalation, persistence, and encryption into unified payloads, defenders are left with a shrinking window to detect and disrupt these attacks before damage is done.