Reynolds
Reynolds is an emerging ransomware family. Reported behavior shows it encrypts victim files using AES and RSA, appends the ".locked" extension, and drops a ransom note named "RestoreYourFiles.txt" (also referenced in reporting as "RestoreYourFiles.txt"). The ransom note instructs victims to contact the operators via qTox and a Tor onion address, gives three days to initiate negotiations, and threatens renewed attacks and data leakage if contact is not made.
A defining characteristic of Reynolds is its built-in Bring Your Own Vulnerable Driver (BYOVD) capability for defense evasion. Researchers reported that the ransomware embeds and drops the signed but vulnerable NsecSoft NSecKrnl kernel driver (NSecKrnl.sys / NsecSoft driver), creates a service to load it, and exploits CVE-2025-68947 to terminate security processes. Reported targets for process termination include products from Microsoft Defender, CrowdStrike, Sophos, Symantec, ESET, Avast, and Palo Alto Networks Cortex XDR, among others. Multiple reports emphasize that this BYOVD component is integrated directly into the ransomware payload rather than deployed as a separate killer tool.
Observed intrusion activity suggests a multi-stage operation. Researchers noted a suspicious side-loaded loader present weeks before ransomware deployment and the GotoHTTP remote access tool found after encryption, indicating the operators may maintain access before and after the ransomware stage. Broadcom researchers initially linked the activity to Black Basta because of similar tradecraft, but later identified Reynolds as a distinct ransomware family. Some public reporting also links the tradecraft to the Silver Fox cluster based on shared use of the NSecKrnl driver, although the content does not establish definitive attribution.
Reported targeting includes organizations with mature security postures across enterprise, government, and critical infrastructure, with incidents noted in the United States and the United Kingdom. Separate reporting states the ransomware appears oriented toward English-speaking users but may spread globally. Mentioned possible delivery vectors include exposed RDP, phishing emails and malicious attachments, exploit-based delivery, deceptive downloads, botnets, malvertising, fake updates, and trojanized installers.
High-confidence indicators and identifiers mentioned in the content include the ".locked" file extension, the ransom note "RestoreYourFiles.txt" / "RestoreYourFiles.txt", use of the NSecKrnl vulnerable driver, and a referenced sample with MD5 f0bdb2add62b0196a50e25e45e370cc5, SHA-1 6dae1c4879d951af60f26c56b8701a2c1a8cd550, and SHA-256 6bd8a0291b268d32422139387864f15924e1db05dbef8cc75a6677f8263fa11d. Antivirus detections cited in the reporting include Trojan.Encoder.44391, Gen:Heur.Ransom.Imps.1, Win64/Filecoder.Slug.A Trojan, Trojan-Ransom.Win32.Gen.cfmt, Trojan:Win32/Etset!rfn, Ransom.LockFile!8.12D75, Win32.Trojan-Ransom.Gen.Ckjl, and Ransom.Win64.REYNOLDS.THBAABF.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
1 CVE Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
The emergence of the Reynolds ransomware family marks a significant escalation in adversarial tradecraft, leveraging the Bring Your Own Vulnerable Driver (BYOVD) technique to systematically neutralize Endpoint Detection and Response (EDR) security tools.
Groups observed using it
2 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
Researchers found a new ransomware, named Reynolds, that implements the Bring Your Own Vulnerable Driver (BYOVD) technique to disable security tools and evade detection before encrypting systems.
The emergence of the Reynolds ransomware family marks a significant escalation in adversarial tradecraft, leveraging the Bring Your Own Vulnerable Driver (BYOVD) technique to systematically neutralize Endpoint Detection and Response (EDR) security tools.
Techniques & procedures
4 distinct techniques documented for this family, organized by ATT&CK tactic.
Privilege Escalation
1 technique"BYOVD ... abuses legitimate but flawed driver software to escalate privileges..."
Stealth
1 technique"...abuses legitimate but flawed driver software to ... disable Endpoint Detection and Response (EDR) solutions..."; "...leveraging ... a zero-day vulnerability in the 'GameDriverx64.sys' ... driver ... to disable security tools in a BYOVD attack."
Impact
1 technique"...ransomware family dubbed Reynolds..."; "LockBit 5.0 ... use ChaCha20 to encrypt files and data across Windows, Linux, and ESXi..."
Other
1 techniqueRecent activity
8 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Ransomware that encrypts victim files using AES+RSA, appends the .locked extension, drops the ransom note ___RestoreYourFiles___.txt, and demands payment for decryption. The content also states it uses a BYOVD technique to evade defenses.
Reynolds ransomware uses BYOVD to disable security before encryption
Ransomware family that includes a BYOVD component to escalate privileges and disable EDR/security tools as part of defense evasion.
Ransomware family with built-in BYOVD defense evasion; leverages vulnerable kernel drivers to escalate privileges/disable security tooling prior to encryption, and has been observed using the .locked extension and a ransom note titled "RestoreYourFiles.txt."
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.