Cybersecurity researchers have disclosed details of an emergent ransomware family dubbed Reynolds, which embeds a built-in bring your own vulnerable driver (BYOVD) component directly within the ransomware payload to enable defense evasion.
BYOVD refers to an adversarial technique that abuses legitimate but flawed driver software to escalate privileges and disable Endpoint Detection and Response (EDR) solutions, allowing malicious activity to proceed unnoticed. Over the years, many ransomware groups have adopted this strategy to bypass modern defenses.
“Normally, the BYOVD defense evasion component of an attack would involve a distinct tool that would be deployed on the system prior to the ransomware payload in order to disable security software,” the Symantec and Carbon Black Threat Hunter Team said in a report. “However, in this attack, the vulnerable driver (an NsecSoft NSecKrnl driver) was bundled with the ransomware itself.”
Meanwhile, Broadcom’s cybersecurity teams emphasized that bundling a defense evasion component within the ransomware payload does not represent a novel tactic. Researchers previously observed this approach in a Ryuk ransomware attack in 2020 and again in late August 2025 during an incident involving a lesser-known ransomware family called Obscura.
In the Reynolds campaign, the ransomware drops a vulnerable NsecSoft NSecKrnl driver and actively terminates processes associated with multiple security products. These include tools from Avast, CrowdStrike Falcon, Palo Alto Networks Cortex XDR, Sophos (along with HitmanPro.Alert), and Symantec Endpoint Protection, among others.
Exploiting a Known Driver Vulnerability
Notably, the NSecKrnl driver suffers from a known security flaw (CVE-2025-68947, CVSS score: 5.7) that attackers can exploit to terminate arbitrary processes. Previously, a threat actor known as Silver Fox leveraged the same driver in attacks designed to kill endpoint security tools before delivering ValleyRAT.
Over the past year, the hacking group has also wielded several other legitimate but flawed drivers — including truesight.sys and amsdk.sys — as part of BYOVD attacks aimed at disarming security programs.
By combining defense evasion and ransomware capabilities into a single component, attackers make detection and response significantly harder for defenders. At the same time, this approach removes the need for affiliates to separately integrate defense evasion steps into their modus operandi.
Early Indicators and Post-Intrusion Activity
“Also of note in this attack campaign was the presence of a suspicious side-loaded loader on the target’s network several weeks prior to the ransomware being deployed,” Symantec and Carbon Black said. “Also of note in this attack campaign was the presence of a suspicious side-loaded loader on the target’s network several weeks prior to the ransomware being deployed.”
Additionally, attackers deployed the GotoHTTP remote access program on the target network one day after ransomware execution, suggesting an attempt to maintain persistent access to compromised systems.
“BYOVD is popular with attackers due to its effectiveness and reliance on legitimate, signed files, which are less likely to raise red flags,” the company said.
“The advantages of wrapping the defense evasion capability in with the ransomware payload, and the reason ransomware actors might do this, may include the fact that packaging the defense evasion binary and the ransomware payload together is “quieter”, with no separate external file dropped on the victim network.”
Related Ransomware Developments
At the same time, the findings align with several ransomware-related developments reported in recent weeks.
A high-volume phishing campaign has leveraged emails containing Windows shortcut (LNK) attachments to execute PowerShell code that retrieves a Phorpiex dropper. Attackers then use the dropper to deliver GLOBAL GROUP ransomware, which performs all activity locally on the infected system. As a result, the ransomware remains compatible with air-gapped environments and conducts no data exfiltration.
Separately, attacks attributed to WantToCry have abused virtual machines provisioned by ISPsystem, a legitimate virtual infrastructure management provider, to host and distribute malicious payloads at scale. Investigators have identified some of the hostnames across infrastructure tied to multiple ransomware operators, including LockBit, Qilin, Conti, BlackCat, and Ursnif, as well as malware campaigns involving NetSupport RAT, PureRAT, Lampion, Lumma Stealer, and RedLine Stealer.
Researchers assess that bulletproof hosting providers lease ISPsystem virtual machines to criminal actors by exploiting a design weakness in VMmanager’s default Windows templates. Specifically, the templates reuse the same static hostname and system identifiers during deployment, allowing threat actors to spin up thousands of virtual machines with identical hostnames and complicate takedown efforts.
Meanwhile, DragonForce has introduced a “Company Data Audit” service to support affiliates during extortion campaigns, reflecting the continued professionalization of ransomware operations. “The audit includes a detailed risk report, prepared communication materials, such as call scripts and executive-level letters, and strategic guidance designed to influence negotiations,” LevelBlue said. DragonForce operates as a cartel, enabling affiliates to build independent brands while accessing shared resources and services.
LockBit, Interlock, and the Shift to Cloud Targets
Researchers have also identified LockBit 5.0 using ChaCha20 encryption across Windows, Linux, and ESXi environments, marking a departure from the AES-based approach used in LockBit 2.0 and 3.0. In addition, the new version Introduces a wiper component, execution delays, encryption progress tracking, enhanced anti-analysis features, and improved in-memory execution to reduce disk Artifacts.
At the same time, the Interlock Ransomware group has Sustained attacks against organizations in the U.K. and U.S., particularly within the education sector. In one case, attackers Exploited a Zero-day Vulnerability in the GameDriverx64.sys gaming Anti-cheat driver (CVE-2025-61155, CVSS score: 5.5) as part of a BYOVD attack to disable security tools. The campaign also involved Deploying NodeSnake/Interlock RAT (aka CORNFLAKE) to steal sensitive data, with initial access traced back to a MintLoader infection.
Additionally, Ransomware operators have increasingly shifted focus from traditional On-premises targets to cloud storage services. In particular, Attackers have targeted Misconfigured Amazon Web Services (AWS) S3 buckets, abusing native cloud features to delete or Overwrite data, suspend access, or Exfiltrate sensitive content while remaining under the radar.
According to Cyble, GLOBAL GROUP ranks among several Ransomware crews that emerged in 2025, alongside Devman, DireWolf, NOVA, J group, Warlock, BEAST, Sinobi, NightSpire, and The Gentlemen. During Q4 2025 alone, Sinobi’s data leak site Listings surged by 306%, making it the Third-most active Ransomware group after Qilin and Akira, according to ReliaQuest.
“Meanwhile, the return of LockBit 5.0 was one of Q4’s biggest shifts, driven by a late-quarter spike that saw the group list 110 organizations in December alone,” researcher Gautham Ashok said. “This output signals a group that can scale execution quickly, convert intrusions into impact, and sustain an affiliate pipeline capable of operating at volume.”
Rising Attack Volume and Ransom Demands
Ultimately, the arrival of new Ransomware groups and growing collaboration among existing players has fueled a surge in activity. Ransomware actors claimed responsibility for 4,737 attacks in 2025, up from 4,701 in 2024. Meanwhile, attacks relying solely on data theft rather than Encryption climbed to 6,182 incidents, Representing a 23% increase year over year.
Finally, average ransom payments reached $591,988 in Q4 2025, marking a 57% jump from Q3 2025. Coveware Attributed the rise to a small number of Outsized settlements and suggested that threat actors may return to traditional data Encryption tactics to exert stronger Leverage over victims.
Source: TheHackerNews
Read more at Impreza News
