Executive Summary

The emergence of the Reynolds ransomware family marks a significant escalation in adversarial tradecraft, leveraging the Bring Your Own Vulnerable Driver (BYOVD) technique to systematically neutralize Endpoint Detection and Response (EDR) security tools. By embedding a vulnerable kernel-mode driver directly within its payload, Reynolds achieves a high degree of stealth and operational efficiency, enabling the ransomware to disable security controls and execute its encryption routines unimpeded. This report provides a comprehensive technical analysis of the Reynolds campaign, its exploitation of the NsecSoft NSecKrnl driver (CVE-2025-68947), observed tactics and procedures, victimology, and actionable mitigation strategies for defenders and executives alike.

Threat Actor Profile

The Reynolds ransomware campaign has been attributed to a threat actor cluster exhibiting advanced operational security and a deep understanding of Windows internals. Public reporting links the use of the BYOVD technique, specifically the deployment of the NsecSoft NSecKrnl driver, to the Silver Fox group, a threat actor previously observed using similar methods to facilitate the deployment of ValleyRAT and other post-exploitation frameworks. The actor demonstrates a preference for targeting organizations with mature security postures, particularly those relying on industry-leading EDR and antivirus solutions. While the Silver Fox group is the primary actor associated with this campaign, the BYOVD methodology has also been observed in operations conducted by ransomware groups such as Ryuk and Obscura, indicating a broader adoption of this defense evasion paradigm within the cybercriminal ecosystem.

Technical Analysis of Malware/TTPs

The Reynolds ransomware attack chain is characterized by a multi-stage intrusion process, beginning with initial access via a side-loaded loader, followed by the deployment of the ransomware payload and the embedded vulnerable driver. The NsecSoft NSecKrnl driver, identified as CVE-2025-68947, is a signed kernel-mode driver that exposes functionality for arbitrary process termination. By exploiting this capability, the ransomware is able to terminate the processes of major EDR and antivirus products, including Avast, CrowdStrike Falcon, Palo Alto Networks Cortex XDR, Sophos (including HitmanPro.Alert), and Symantec Endpoint Protection.

Upon execution, the ransomware drops the NSecKrnl.sys driver to a temporary or system directory and loads it into kernel space. The driver is then used to enumerate and forcibly terminate security agent processes, effectively blinding the host to subsequent malicious activity. This is followed by the core ransomware routine, which encrypts files and appends a ransom note. In several observed cases, the attackers also deployed the GotoHTTP remote access tool post-encryption, indicating an intent to maintain persistent access for further exploitation or negotiation.

The BYOVD technique employed by Reynolds is notable for its efficiency and stealth. By embedding the driver within the ransomware payload, the attackers eliminate the need for separate tool delivery, reducing the attack's footprint and complicating detection by traditional security controls. The use of a signed driver further enables the bypass of driver signature enforcement mechanisms on Windows systems, granting the malware kernel-level privileges.

The campaign leverages several MITRE ATT&CK techniques, including T1562.001 (Impair Defenses: Disable or Modify Tools), T1068 (Exploitation for Privilege Escalation), and T1216 (Signed Binary Proxy Execution). The attackers' ability to operate with elevated privileges and disable security controls prior to encryption significantly increases the likelihood of successful extortion.

Exploitation in the Wild

The Reynolds ransomware campaign has been observed in multiple incidents across enterprise environments, with initial access typically established via a side-loaded loader weeks prior to ransomware deployment. The attack chain is characterized by a period of reconnaissance and lateral movement, culminating in the delivery of the ransomware payload and the embedded NSecKrnl.sys driver.

The Silver Fox threat actor has previously used the same driver to disable endpoint security tools before deploying ValleyRAT, demonstrating a consistent pattern of leveraging vulnerable drivers for defense evasion. Other drivers, such as truesight.sys and amsdk.sys, have also been used in similar BYOVD attacks by various ransomware groups, underscoring the prevalence of this technique in the current threat landscape.

Public reporting indicates that the Reynolds campaign targets organizations with robust EDR and antivirus deployments, exploiting the trust placed in signed drivers to bypass security controls. The deployment of the GotoHTTP remote access tool post-encryption suggests a dual objective of data exfiltration and persistent access, increasing the potential impact of the attack.

Victimology and Targeting

While specific victim organizations have not been publicly disclosed, the Reynolds ransomware campaign is known to target sectors with mature security postures, including enterprise, government, and critical infrastructure. The attack methodology is agnostic to geography, with incidents reported in both the United States and the United Kingdom, and is applicable to any organization relying on Windows-based EDR and antivirus solutions.

The primary targeting criterion appears to be the presence of industry-leading security products susceptible to process termination via the NSecKrnl.sys driver. The attack is not limited to specific product versions, as the vulnerability resides in the driver itself rather than the security software. Any Windows system running EDR or antivirus agents that can be terminated by a privileged driver is at risk.

Mitigation and Countermeasures

To defend against the Reynolds ransomware campaign and similar BYOVD attacks, organizations should implement a multi-layered security strategy focused on driver control, process monitoring, and remote access tool detection. Key mitigation steps include:

Blocking and removing vulnerable drivers using Windows Defender Application Control (WDAC) or equivalent solutions to prevent the loading of known vulnerable drivers such as NSecKrnl.sys. Organizations should maintain an up-to-date blocklist of driver hashes associated with CVE-2025-68947 and other exploited drivers.

Monitoring for driver installation events, particularly the loading of unsigned or unexpected drivers. Security teams should configure alerts for driver loads matching known vulnerable hashes and investigate any anomalous activity.

Hunting for unexplained process terminations, especially those affecting EDR and antivirus agents. Sudden or mass termination of security processes should trigger immediate investigation and incident response procedures.

Auditing for unauthorized remote access tools, including GotoHTTP. Regularly review installed software and network traffic for indicators of unauthorized remote access, and implement application whitelisting to restrict the execution of unapproved tools.

Ensuring that all systems are running the latest security patches and that endpoint protection solutions are configured to detect and respond to driver-based attacks. Where possible, enable kernel-mode code integrity checks and restrict the installation of third-party drivers.

Conducting regular threat hunting exercises to identify signs of lateral movement, privilege escalation, and defense evasion consistent with BYOVD techniques.

References

The Hacker News: Reynolds Ransomware Embeds BYOVD Driver to Disable EDR Security Tools https://thehackernews.com/2026/02/reynolds-ransomware-embeds-byovd-driver.html

MITRE ATT&CK T1562.001: Impair Defenses: Disable or Modify Tools https://attack.mitre.org/techniques/T1562/001/

CVE-2025-68947 - NsecSoft NSecKrnl driver vulnerability https://nvd.nist.gov/vuln/detail/CVE-2025-68947

Dark Reading: 'Reynolds' Bundles BYOVD With Ransomware Payload https://www.darkreading.com/threat-intelligence/black-basta-bundles-byovd-ransomware-payload

LinkedIn: The Hacker News' Post on Reynolds Ransomware https://www.linkedin.com/posts/thehackernews_reynolds-ransomware-embeds-its-own-activity-7426999051637706752-jOpT

Huntress: EnCase BYOVD EDR Killer https://www.huntress.com/blog/encase-byovd-edr-killer

CSO Online: Attackers exploit decade-old Windows driver flaw to shut down modern EDR defenses https://www.csoonline.com/article/4127968/attackers-exploit-decade%E2%80%91old-windows-driver-flaw-to-shut-down-modern-edr-defenses.html

Security.com: Black Basta: Defense Evasion Capability Embedded in Ransomware https://www.security.com/threat-intelligence/black-basta-ransomware-byovd

About Rescana

Rescana is a leader in third-party risk management (TPRM), providing organizations with a comprehensive platform to assess, monitor, and mitigate cyber risks across their supply chain and digital ecosystem. Our advanced threat intelligence and automation capabilities empower security teams to proactively identify and respond to emerging threats, ensuring resilience in an evolving threat landscape. For more information about our solutions or to discuss your cybersecurity needs, we are happy to answer questions at ops@rescana.com.