Reynolds Ransomware Uses BYOVD via NsecSoft NSecKrnl Driver to Kill EDR Processes
Reynolds, an emerging ransomware family, has been reported using a Bring Your Own Vulnerable Driver (BYOVD) technique by bundling a legitimate-but-flawed kernel driver (NsecSoft NSecKrnl) directly inside the ransomware payload to evade defenses. The driver vulnerability, tracked as CVE-2025-68947 (reported CVSS 5.7), can be abused to terminate arbitrary processes, enabling Reynolds to disable endpoint security tooling before encryption activity proceeds.
Reporting indicates Reynolds drops the vulnerable NSecKrnl driver and then targets processes associated with multiple security products (including Avast, CrowdStrike Falcon, Palo Alto Networks Cortex XDR, Sophos/HitmanPro.Alert, and Symantec Endpoint Protection). Researchers noted that embedding the BYOVD component within the ransomware payload (rather than deploying a separate pre-ransomware killer tool) has precedent in prior ransomware activity (e.g., Ryuk and Obscura), and the same driver has also been associated with activity attributed to the Silver Fox threat actor in other campaigns.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
5 events from the most recent confirmed update back to the earliest known activity.
GotoHTTP remote access tool found after Reynolds encryption
Researchers found the GotoHTTP remote access tool deployed after the ransomware event, with one report specifying it appeared a day after compromise. The finding suggests the operators sought to maintain or regain access following encryption.
Researchers publicly disclose Reynolds ransomware campaign
Broadcom/Symantec and Carbon Black publicly reported the new Reynolds ransomware family and its unusual design of embedding BYOVD capability directly in the ransomware payload. The disclosure highlighted targeting in the US and UK and warned that integrated defense evasion could make ransomware attacks faster and stealthier.
Reynolds ransomware deploys embedded BYOVD to kill security tools
In the observed intrusions, the Reynolds ransomware payload dropped and loaded the vulnerable signed NsecSoft NSecKrnl driver, then exploited CVE-2025-68947 to terminate EDR and antivirus processes before encrypting systems. Broadcom researchers initially suspected Black Basta due to similar tradecraft, but later confirmed the malware was a distinct ransomware family named Reynolds.
Attackers stage Reynolds intrusions with a side-loaded loader
Investigators observed a suspicious side-loaded loader on victim environments weeks before ransomware deployment, indicating an initial access or staging phase. The dwell period reportedly involved reconnaissance and lateral movement before the final attack.
Silver Fox previously abused NSecKrnl driver with ValleyRAT
Public reporting cited in the references links the vulnerable NsecSoft NSecKrnl driver (CVE-2025-68947) to earlier Silver Fox activity, where it was used to help deploy ValleyRAT and other post-exploitation tooling. This establishes prior criminal use of the same BYOVD component before Reynolds was identified.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
5 references tracked. Mallory keeps watching after this page renders.
Шифровальщики-вымогатели The Digest "Crypto-Ransomware": Reynolds
id-ransomware.blogspot.com
Open sourceBYOVD technique embedded in nascent Reynolds ransomware | SC Media
scworld.com
Open sourceReynolds ransomware uses BYOVD to disable security before encryption
securityaffairs.com
Open sourceReynolds Ransomware Exploits CVE-2025-68947 in NsecSoft NSecKrnl Driver to Disable Windows EDR Security Tools
rescana.com
Open sourceReynolds Ransomware Embeds BYOVD Driver to Disable EDR Security Tools
thehackernews.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Black Basta Embeds BYOVD Driver Inside Ransomware Payload to Disable EDR
**Black Basta** ransomware operators have been observed embedding a **Bring Your Own Vulnerable Driver (BYOVD)** component directly inside the ransomware payload, a shift from the more common approach of deploying an external “EDR killer” tool prior to encryption. The technique abuses a legitimate, signed but vulnerable Windows driver to gain **kernel-level** privileges and terminate security tooling (AV/EDR) on the victim host, reducing the chance defenders can stop the attack before encryption begins. Reporting attributes the finding to analysis by **Symantec** (and the **Carbon Black Threat Hunter Team**), which described the embedded-driver approach as a notable evolution in Black Basta tradecraft and consistent with broader ransomware trends toward BYOVD-based defense evasion. One account also links the activity to the **Cardinal** cybercrime group and notes the behavior had not been seen in prior Black Basta campaigns, suggesting either a retooling or a renewed operational tempo that could be adopted by other ransomware families seeking to reliably neutralize endpoint protections.
Mar 21, 2026
ESET Research Finds BYOVD Dominates EDR Killer Use in Ransomware Intrusions
**ESET Research** reported that **EDR killers** have become a standard component of modern ransomware operations, with attackers routinely disabling endpoint detection and response tools before launching encryptors. Across nearly 90 EDR killer tools observed in the wild, 54 were found to use the **Bring Your Own Vulnerable Driver (BYOVD)** technique, abusing 34 signed but vulnerable drivers to obtain kernel-level privileges and tamper with security products. The research says this approach is especially attractive to ransomware affiliates because it creates a short, reliable window for encryption while avoiding the need to constantly rebuild encryptors to evade detection. The reporting also highlights how **ransomware-as-a-service** operations contribute to the diversity of EDR killer tooling: operators typically provide the encryptor and infrastructure, while affiliates choose the EDR-disabling utility used during an intrusion. Although BYOVD remains the dominant method because of its reliability and relatively low development cost, researchers also observed a growing set of tools that disable protections without loading drivers, including methods that disrupt EDR communications, suspend processes, or abuse built-in administrative utilities. The findings reinforce that vulnerable-driver abuse remains a key defensive gap, while non-kernel alternatives are also expanding the range of pre-encryption attack techniques defenders must monitor.
Apr 14, 2026
Interlock Ransomware Uses BYOVD Anti-Cheat Driver Flaw to Disable EDR
Fortinet/FortiGuard Labs reported that the **Interlock** ransomware group—described as a smaller, non-**RaaS** operation—ran a months-long intrusion campaign primarily targeting the **education sector** in the US and UK. Initial access was observed via **MintLoader**, including “ClickFix” social-engineering lures, followed by post-compromise activity using a JavaScript implant referred to as **NodeSnakeRAT**, lateral movement with valid accounts and living-off-the-land techniques, and broad discovery prior to impact. The operation follows a **double-extortion** pattern, with data exfiltration (including use of `AZcopy`) preceding ransomware deployment, and has been observed impacting both Windows endpoints and **Nutanix** hypervisor environments. A key technical finding is Interlock’s use of a **Bring Your Own Vulnerable Driver (BYOVD)** technique to neutralize endpoint defenses. Researchers identified a custom tool dubbed **“Hotta Killer”** (associated with `polers.dll`) that drops a kernel driver `UpdateCheckerX64.sys`, described as a renamed vulnerable anti-cheat driver (`GameDriverx64.sys`, **CVE-2025-61155**). Because the driver is legitimate and digitally signed, it can pass initial trust checks; once loaded, it is abused for kernel-level process termination to **kill EDR/AV processes**, with reporting noting targeting of **Fortinet** security tooling specifically, enabling subsequent ransomware execution with reduced detection and response capability.
Mar 21, 2026