Reynolds ransomware uses BYOVD to disable security before encryption

Staff Editor 2026-02-11
Reynolds ransomware uses BYOVD to disable security before encryption

Reynolds ransomware uses BYOVD to disable security before encryption

https://securityaffairs.com/187869/security/reynolds-ransomware-uses-byovd-to-disable-security-before-encryption.html

Publish Date: 2026-02-11 10:01:00

Source Domain: securityaffairs.com

Reynolds ransomware uses BYOVD to disable security before encryption

Pierluigi Paganini
February 11, 2026

Researchers discovered Reynolds ransomware, which uses BYOVD technique to disable security tools and evade detection before encryption.

Researchers found a new ransomware, named Reynolds, that implements the Bring Your Own Vulnerable Driver (BYOVD) technique to disable security tools and evade detection before encrypting systems.

Broadcom’s cybersecurity researchers initially attributed the attack to Black Basta due to similar tactics, but further analysis confirmed the payload was Reynolds, a new ransomware family. The campaign stands out because it embeds a bring-your-own-vulnerable-driver (BYOVD) component directly inside the ransomware. Instead of deploying a separate tool to disable security software, Reynolds bundles the vulnerable NsecSoft driver within its payload to evade detection.

Bring Your Own Vulnerable Driver (BYOVD) is an attack technique where threat actors use a legitimate but flawed driver to bypass security controls.

Instead of exploiting a new vulnerability, attackers install a signed, trusted driver that contains known security flaws. Because the driver is legitimately signed, Windows allows it to load. Once running, attackers exploit the driver’s weakness to:

  • Bypass kernel-level protections
  • Escalate privileges (gain SYSTEM-level access)
  • Disable or tamper with EDR/antivirus tools
  • Kill security processes

The Reynolds ransomware drops the vulnerable NsecKrnl driver and creates a service to run it. It then abuses the driver flaw (CVE-2025-68947) to kill security processes associated with major defense solutions, including Sophos, Symantec, Microsoft Defender, CrowdStrike, ESET, and Avast tools.

“The ransomware payload drops a vulnerable NsecSoft NSecKrnl driver and tries to create an NSecKrnl service. This driver is then exploited to…

Source

More Stories

Free Apps Are Quietly Turning Smart TVs Into Web-Scraping Proxies for AI

Free Apps Are Quietly Turning Smart TVs Into Web-Scraping Proxies for AI

Staff Editor 2026-06-06
Franklin Student is a Cyber Security Champ at Bridgewater State

Franklin Student is a Cyber Security Champ at Bridgewater State

Staff Editor 2026-06-06
CISA Adds Actively Exploited SolarWinds Serv-U DoS Flaw to KEV Catalog

CISA Adds Actively Exploited SolarWinds Serv-U DoS Flaw to KEV Catalog

Staff Editor 2026-06-06

Terms and Conditions - Privacy Policy