Cybersecurity researchers have uncovered a newly emerging ransomware strain named Reynolds, which is raising the bar in how attackers evade detection and disable defensive software before carrying out encryption. What sets this malware apart is its use of a sophisticated evasion method known as “Bring Your Own Vulnerable Driver” (BYOVD), an increasingly popular tactic for compromising security systems on Windows machines.
What Is BYOVD and How Does Reynolds Use It?
BYOVD is a technique where threat actors deploy legitimate but inherently flawed software drivers—small pieces of code that operate at a deep level within the operating system—to bypass established security controls. Because these drivers are digitally signed and appear trusted, Windows will load them without raising alarms, even though they contain weaknesses attackers can exploit.
The Reynolds ransomware embeds such a driver—specifically the NSecSoft NSecKrnl driver—directly into its own malicious payload. This means the ransomware doesn’t rely on external tools or stages to weaken defensive software. Instead, the driver is dropped and executed as a service the moment the malware runs.
Once active, the vulnerable driver leverages a known flaw (tracked as CVE-2025-68947) to perform several offensive actions far beyond its intended legitimate purpose. These include:
- Bypassing kernel-level protections in Windows
- Elevating privilege to system-level access
- Terminating processes associated with antivirus and endpoint detection tools
- Tampering with or disabling security software entirely
Targeting Modern Security Tools
Analysis of the malware’s behavior shows that Reynolds attempts to kill or disrupt a wide range of widely used security products before it proceeds with malicious activities. Among the affected tools are solutions from major cybersecurity vendors—Microsoft Defender, Sophos, Symantec, CrowdStrike, ESET, and Avast, to name a few.
Why This Matters
Traditionally, ransomware attacks have unfolded in multiple phases: first gaining access, then disabling or outsmarting defensive tools, and finally deploying encryption. In many cases, security teams could detect or block each phase. With Reynolds, however, defense-evasion is fused tightly with the ransomware itself. The BYOVD driver is bundled inside the same payload that ultimately encrypts files, making it harder for defenders to spot and stop the attack before it’s too late.
This integrated approach not only reduces the “noise” that could trigger defensive alerts but also shortens the window in which defenders might respond. By the time security tools react, much of the damage may already be done.
Implications for Organisations
The emergence of Reynolds highlights a worrying trend: attackers are not just targeting gaps in defensive setups—they are actively weaponizing trusted system components to neutralize those defenses. For organisations, this underscores the importance of layered security strategies that go beyond traditional signature-based detection. Behavioural analysis, real-time monitoring, and proactive patching of known vulnerabilities (like those in signed drivers) are vital to stay ahead of these evolving threats.
