Reynolds Ransomware BYOVD Eludes EDR Tools

Ransomware continuously evolves, presenting new challenges for both individuals and organizations. A recent development is the emergence of a sophisticated ransomware named Reynolds, which stands out due to its advanced defense evasion tactics.

Bring Your Own Vulnerable Driver – BYOVD

Reynolds introduces a unique mechanism known as Bring Your Own Vulnerable Driver (BYOVD). Reynolds incorporates an evasion technique directly into its payload, making it highly elusive to security measures such as EDR (Endpoint Detection and Response) tools. BYOVD works by exploiting legitimate but flawed software components, allowing the ransomware to hide its malicious activities and bypass detection mechanisms effectively.

In the case of Reynolds, instead of deploying separate tools beforehand to disable security measures, the malicious driver is bundled within the ransomware itself. Upon execution, Reynolds drops an NsecSoft NSecKrnl driver, exploiting known vulnerabilities (CVE-2025-68947) to terminate processes of various security programs, effectively evading detection and response mechanisms. The NSecKrnl driver, while legitimate, is fraught with a critical vulnerability that enables attackers to terminate arbitrary processes.

The integration of BYOVD within the ransomware payload poses significant challenges for defenders. By bundling defense evasion capabilities, attackers reduce the noise typically associated with deploying separate tools, making it harder for security systems to detect and respond in time. This tactic not only enhances the effectiveness of the attack but also streamlines the process for affiliates, who no longer need to incorporate additional steps into their operations.

Ransomware Trends

This type of cyber threat demonstrates that attackers are continuously seeking new ways to evade security systems, making it harder for antivirus software and other security measures to detect and neutralize these threats efficiently.

Beyond Reynolds, 2025 saw broader trends in ransomware evolution, with both emerging groups, such as GLOBAL GROUP and Devman, and established entities like LockBit adapting their methods. For instance, LockBit’s updated version incorporates advanced encryption techniques and malicious features, underscoring the dynamic nature of cybercrime.

Reynolds demonstrates the need for organizations to put preemptive measures in place, including penetration tests, vulnerability management, and patch management.