Reynolds: The Ransomware that brings your own vulnerable driver to silence security and encryption without warning

Cybersecurity researchers have identified a new family of Ransomware called Reynolds that introduces a dangerous variant of an already known tactic: the so-called "bringing your own vulnerable driver" or BYOVD. In essence, BYOVD is to take advantage of legitimate but failed controllers to get high privileges and leave out of the fight the detection and response solutions in endpoints, so that the infection progressed without being detected. To further this mechanism, a detailed analysis can be found on the blog of Halcyon.

What makes the Reynolds case unique is that the vulnerable component is not deployed as a separate kit prior to the delivery of the encryption, but is packed within the executable of the ansomware itself. According to the Symantec and Carbon Black threat-hunter team, the campaign has set up a NsecSoft driver called NSecKrnl to exploit a vulnerability that allows arbitrary processes to be completed, and is followed by stopping security services and processes from known manufacturers. The report shared with The Hacker News and summarized by Security.com.

The packaging controller is related to a known fault listed as CVE-2025-68947 the use of which facilitates the closure of processes. This is not the first time that malicious actors take advantage of drivers with legitimate signature but with errors: previous investigations document how threats like Silver Fox have used exactly that controller to neutralize solutions and deploy loads like ValleyRAT, and there is a history of BYOVD use in Ransomware campaigns since previous years. An analysis of the use of this type of driver by actors such as Silver Fox can be found at Hexastrike.

In the detailed campaign, the attackers not only dropped the vulnerable driver, but the code actively sought and ended processes associated with protection solutions such as Avast, CrowdStrike Falcon, Palo Alto Networks Cortex XDR, Sophos (and HitmanPro.Alert), and Symantec Endpoint Protection, among others. This selective closure of defenses makes it easier for the cipher to complete its task without obstacles.

Safety signs and suppliers have observed variations in this combination of evasion and ransomware before. For example, Broadcom and other research teams have identified past campaigns where the evasion by vulnerable controllers was integrated into Ransomware operations - a notable background was a case with the Ryuk family in 2020 - and recent incidents with less known families have been reported that repeat the pattern. A review of the reappearance of similar techniques in Ryuk is available on the blog of Fortinet.

Another element that drew the attention of the researchers was the existence of prior activity on the compromised network: weeks before Reynolds detonated the cipher a suspicious side charger (side-loaded loader) appeared, and one day after the deployment of the ransomware was detected the installation of the Remote Access Program GotoHTTP. This suggests a typical pattern of intrusion in several phases, with exploration, establishment of persistence and, finally, the detonation of the ansomware.

From the attacker's perspective, packing the escape capacity together with the Ransomware itself has obvious advantages: it reduces the need to download or run additional binaries that can generate alerts, and makes the whole more "silent" from the point of view of detection. For defenders, this integration complicates traceability and forces you to look beyond the executable of the cipher to detect the complete payload.

Reynolds' finding comes at a time when the panorama of the ransomware is fragmented and at the same time professionalized. In recent weeks, high-volume campaigns that take advantage of classical shortcuts have been documented, such as mass shipments of phishing with LNK direct accesses that run PowerShell to lower a dropper (route followed by the GLOBAL GROUP family), as detailed by the analysts of Forcepoint. Such droppers can even operate in isolated environments of the network by performing all the actions in the local machine.

Other recent abuses point to poorly configured virtual infrastructure. The WantToCry family has taken advantage of ISPsystem VMmanager default templates to create thousands of virtual machines with static names and identifiers, making it easier for them to rent by unscrupulous "hosting" and complicates authorities' blocking actions. Investigations such as Sophos show how a supply weakness can be exploited on a scale by malicious actors.

In parallel, some ransomware bands advance in the professionalization of their "affiliate service." An example is DragonForce, which offers a package of support for extortion operations - including data audits, communication material and trade scripts - according to the analysis of LevelBlue. For its part, LockBit has evolved to more complex versions, with LockBit 5.0 using ChaCha20 to encrypt multiple platforms (Windows, Linux and ESXi), incorporating wiper, execution delays and anti-analysis techniques, as described by LevelBlue researchers in several reports ( introduction to LockBit 5.0 and complementary parts on their objectives in Windows, Linux and ESXi).

BYOVD tactics have also been exploited with other vulnerable controllers: the Interlock group, for example, has used a bug in the anti-cheat driver GameDriverx64.sys ( CVE-2025-61155) to disable defenses and deploy remote access malware like NodeSnake / Interlock RAT, in incidents where the initial intrusion was linked to a charger called MintLoader, as Fortinet reports in its research on the group ( Interlock analysis).

Another relevant change is the shift of some traditional focus operators into local servers to cloud targets: poorly configured buckets in AWS S3 and other services have become valuable targets for data theft and sabotage. Research of the industry, including work of Trend Micro, show how actors exploit native cloud characteristics to delete, cipher or exfilter information without so much attention.

The proliferation of new groups in 2025 (according to Cyble) and the increase in the activity of known bands have increased the volume of incidents. Monitoring reports such as ReliaQuest show data leakage peaks and listed at filtration sites; in parallel, the data for response to incidents of Coveware reflect that the average rescue payment in the fourth quarter of 2025 was triggered by a few large-scale agreements.

What practical lessons does this wave leave? First of all, basic safety hygiene reappears as a priority: patching controllers and systems, restricting the installation of unauthorised signed drivers and monitoring side loads and unusual processes. EDR solutions should strengthen the supervision of the kernel and not rely solely on the signature of a driver to consider it benign. On the other hand, organizations that handle cloud resources should audit storage permissions and configurations, and apply controls to prevent reusable templates or images from facilitating mass abuse.

The convergence of techniques - from BYOVD packaged to the use of poorly configured virtual hosts and "affiliate" services that professionalize extortion - paints a picture in which attackers seek to reduce operational friction and increase the impact by intrusion. The result is a more sophisticated and resilient threat, which requires not only tools, but more stringent governance processes and controls.