The new age of Ransomware Reynolds: a payload that brings its own vulnerable driver to deactivate defenses and raise privileges

Security researchers have discovered a worrying variation in the Ransomware operation: a family called Reynolds Reynolds, which directly integrates into its executable an escape component based on vulnerable controllers, which is known in the industry's jargon as BYOVD (bring your own vulnerable driver). Instead of deploying a separate tool to deactivate the protection solutions, the very binary of the ansomware delivers and loads a legitimate but well-known driver, and uses it to remove security processes and raise privileges.

BYOVD is not a new invention, but its inclusion "all in one" in the bansomware payload increases risk and complicates detection. The technique, which explores signed controllers but with vulnerabilities to complete processes or to cancel controls, has been documented in multiple previous incidents; for example, analysis of attacks involving Ryuk in 2020 and other more recent incidents show how criminal actors have had third-party controllers to deactivate EDRs and antivirus ( Fortinet).

In the case of Reynolds, the embedded component drops a NsecSoft driver called NSecKrnl - a module with a public vulnerability identified as CVE-2025-68947- from this point of view it is necessary to complete processes associated with products widely deployed in companies: from Avast and CrowdStrike Falcon to Palo Alto Networks Cortex XDR, Sophos and Symantec, among others. Researchers have pointed out that actors such as "Silver Fox" had already taken advantage of similar drivers in previous campaigns to prepare the ground at additional charges such as the well-known RAT ValleyRAT ( Hexastrike, Cyberason).

The direct incorporation of the vulnerable driver into the Ransomware makes the attack more "silent" and reduces the need for intermediate steps by an affiliate: there is no separate file that leaves additional prints on the network or a prior deployment that defenders can detect. According to the signatures that analyzed the sample, in addition to the BYOVD itself, the attack shown by Reynolds had typical signs of organized operation: the prior presence of a side charger (side-loaded loader) weeks before the Ransomware activation, and the subsequent installation of a remote access tool (GotoHTTP) following the corruption of the systems, suggesting intention to maintain access and perform post-operation maneuvers.

This pattern is part of a broader trend: in recent months and years, the groups of ransomware have professionalized their value chains and diversified techniques. Some actors have developed "services" and own tools to support affiliates, such as DragonForce's extortion reports and scripts, while others have modernized their technical capabilities - LockBit 5.0, for example, went on to use ChaCha20 and expanded its multi-platform range, as well as incorporating anti-analysis techniques and components that act as wipers ( LevelBlue, LevelBlue).

In parallel, delivery vectors continue to evolve. Massive phishing campaigns that use direct access (.LNK) to run PowerShell and download droppers have served to spread families like GLOBAL GROUP, which can even operate without relying on external communications and is compatible with air- gapped environments ( Forcepoint). Other operators have abused poorly configured virtualization infrastructure to deploy to VMs scale that act as delivery hosts, taking advantage of templates with static identifiers to complicate the mitigation by defenders ( Sophos, Seqrite).

Recent figures confirm the attack: the constant emergence of new groups and collaboration between traditional bands have kept pressure on organizations of all sizes. Industry reports indicate that data theft extortion activity increased and that average rescue payments were fired in certain quarters, driven by a few "exceptional" negotiations that distort the average ( ReliaQuest, Coveware).

In the face of this scenario, conventional defenses require adjustments. Controllers are a critical link: allowing the indiscriminate installation of third-party drivers or keeping virtual machine templates unchecked opens easy to exploit vectors. Maintain an enabling driver policy, apply patches as soon as they are available - especially for publicly disseminated failures such as the above-mentioned CVE - and monitor anomalous processes and kernel loads behavior provides a major barrier. Recommendations from agencies such as CISA and endpoints and backups hardening practices remain fundamental ( CISA).

It is also important for security teams to monitor early engagement signals: legitimate binary side-loading, "silent" driver deployments, remote access tools installed after and side movements that precede encryption activation. Detection tools that analyze the kernel telemetry and correlate events in the network may discover intrusions before the actor starts the destructive component of the attack.

For organizations, the practical recommendation is to review the chain of confidence of all installed drivers, limit privileges for the installation of drivers, segregate critical functions on the network and keep unchanging backups off-line. Preventing the execution of unexpected binaries and auditioning virtual machine templates are steps that today weigh as much as patches and strengthening endpoints.

The lesson that leaves cases like Reynolds is clear: attackers do not depend only on a technique; they seek to combine components until the operation is robust and silent. Defending requires both in-depth technical controls and organizational processes that reduce the attack surface and accelerate the response. In a panorama where methods are professionalized and packaged, resilience is built before the incident, not just after.