Follow on X RSS Feed
Ransomware

Reynolds Ransomware Shows Why BYOVD Is the New EDR Bypass

Cybersec Sentinel

4 min read
Reynolds Ransomware Shows Why BYOVD Is the New EDR Bypass

Threat Group Reynolds Ransomware Group
Threat Type Ransomware with integrated Bring Your Own Vulnerable Driver exploitation
Exploited Vulnerabilities CVE-2025-68947 abuse of the NsecSoft NSecKrnl driver authorisation model
Malware Used Reynolds Ransomware with embedded NSecKrnl.sys kernel driver
Threat Score 🔴 9.1/10 High risk
Last Threat Observation 11 February 2026

Overview

Reynolds ransomware marks a decisive escalation in ransomware tradecraft through the direct integration of Bring Your Own Vulnerable Driver techniques into the primary payload. Rather than deploying a separate EDR killer or defence evasion stage, Reynolds embeds a signed but vulnerable kernel driver that disables endpoint protection before encryption begins. This design removes the traditional detection window relied upon by modern EDR platforms and exposes fundamental weaknesses in enterprise driver trust governance.

The campaign reflects a broader shift away from noisy encryption only attacks toward parasitic intrusion models where adversaries prioritise disabling visibility and response capabilities at the kernel level. Once security controls are neutralised, ransomware execution becomes highly reliable and recovery significantly more complex.

Background and Discovery

Reynolds ransomware was first identified in February 2026 during multiple enterprise incident response investigations across large organisations. In each observed case, endpoint security tooling was terminated seconds before encryption activity began. Early analysis identified tradecraft similarities with prior Black Basta operations, particularly in process termination logic and targeting strategy. Current intelligence however assesses Reynolds as an independent threat actor operating within the same ransomware ecosystem.

The campaign rapidly gained attention due to its operational use of CVE-2025-68947 within a unified ransomware binary. This represents a clear break from earlier approaches that relied on separate EDR killer utilities such as AuKill, which were often detected during staging.

Technical Analysis

Delivery Method

Initial access is primarily achieved through phishing campaigns delivering malicious Windows shortcut files. These LNK attachments execute obfuscated PowerShell commands that download a secondary payload, most commonly the Phorpiex dropper. Attackers typically maintain extended dwell time to perform reconnaissance, credential harvesting, and lateral movement before deploying the final Reynolds ransomware payload.

Payload and Behaviour

The Reynolds payload drops the vulnerable NSecKrnl.sys driver into a user writable directory.
A system service is created to load the driver into kernel mode.
Crafted IOCTL requests are issued to terminate protected security processes.
Endpoint visibility is removed prior to encryption.
Encrypted files are appended with the .locked extension and ransom instructions are delivered.

This integrated execution model eliminates the gap between defensive evasion and encryption, significantly reducing opportunities for detection or intervention.

Indicators of Compromise IoCs

File names or paths

%TEMP%\NSecKrnl.sys
%APPDATA%\NSecKrnl.sys

Registry keys

HKLM\SYSTEM\CurrentControlSet\Services\NSecKrnl

Network indicators

No reliable data available for this section

Process behaviour

Unexpected termination of endpoint protection processes
Windows Event ID 7045 indicating kernel driver service installation
Windows Event ID 4689 showing forced termination of security agents

Threat Context

Reynolds highlights a systemic weakness in how organisations manage kernel trust. BYOVD attacks exploit the implicit trust the Windows operating system places in signed drivers, allowing adversaries to operate from Ring 0 where user mode security controls have limited authority. By embedding this capability directly into the ransomware payload, Reynolds removes the staging indicators defenders have historically relied upon.

This campaign reinforces a growing reality. Ransomware operators increasingly treat endpoint security platforms as the primary target rather than an obstacle to evade. Organisations that permit broad driver loading or rely solely on endpoint agents without kernel enforcement face materially elevated risk.

Risk Assessment

The likelihood of compromise is high for organisations without strict driver execution controls, Windows Defender Application Control enforcement, or memory integrity protections enabled. Impact includes immediate loss of endpoint visibility, rapid ransomware execution, increased extortion success rates, and prolonged recovery timelines. Large enterprises and regulated industries are particularly exposed due to their dependence on endpoint protection platforms that can be neutralised through BYOVD techniques.

Detection and Mitigation

Detection Guidance

Monitor for unexpected kernel driver installations originating from user writable directories.
Alert on abrupt termination of protected security processes initiated by unknown parent processes.
Correlate driver load events with sudden loss of EDR or Defender telemetry.

Mitigation Strategies

Enforce Windows Defender Application Control with strict driver allow lists.
Enable Hypervisor Protected Code Integrity and Secure Boot across all supported endpoints.
Ensure Microsoft vulnerable driver blocklist enforcement is enabled and regularly validated.

BYOVD Threat Hunting Checklist

Review historical driver load events for signed but non standard drivers.
Identify kernel drivers installed from TEMP or APPDATA locations.
Hunt for service creation events followed by immediate security process termination.
Correlate Event ID 7045 with Event ID 4689 involving endpoint protection tools.
Validate memory integrity enforcement across all Windows endpoints.
Audit driver installation privileges granted to non administrative users.
Investigate unexplained gaps in EDR telemetry as potential kernel level evasion.

Remediation Checklist for IT Engineers

☐ Disconnect infected and suspected systems from the network immediately.

☐ Preserve memory captures and disk images prior to system shutdown for forensic analysis.

☐ Block NSecKrnl.sys by file hash and driver name across all endpoints.

☐ Identify and remove persistence mechanisms, including Phorpiex and GotoHTTP tooling.

☐ Force password resets for all privileged and laterally exposed accounts.

☐ Validate backup integrity offline and scan backups for Reynolds ransomware artefacts before restoration.

☐ Restrict driver installation permissions to approved administrative workflows only.

Sources

The Hacker News – Reynolds Ransomware Embeds BYOVD Driver to Disable EDR – https://thehackernews.com/2026/02/reynolds-ransomware-embeds-byovd-driver.html
Dark Reading – Reynolds Bundles BYOVD With Ransomware Payload – https://www.darkreading.com/threat-intelligence/black-basta-bundles-byovd-ransomware-payload
SentinelOne – CVE-2025-68947 NSecKrnl Driver Privilege Escalation Flaw – https://www.sentinelone.com/vulnerability-database/cve-2025-68947/?utm_source=chatgpt.com
NVD NIST – CVE-2025-68947 Detail – https://nvd.nist.gov/vuln/detail/CVE-2025-68947