Cybersecurity researchers have revealed details about an emerging ransomware family called Reynolds. This family includes a Bring Your Own Vulnerable Driver (BYOVD) component in the ransomware payload itself to evade defenses.
BYOVD refers to an adversarial technique that exploits legitimate but flawed driver software to escalate privileges and disable endpoint detection and response (EDR) solutions, allowing malicious activity to go unnoticed. This strategy has been adopted by many ransomware groups over the years.
“The BYOVD defense evasion component of an attack typically involves another tool deployed to the system before the ransomware payload to disable security software,” Symantec and the Carbon Black Threat Hunter team said in a report shared with The Hacker News. “However, in this attack, a vulnerable driver (NsecSoft NSecKrnl driver) was bundled with the ransomware itself.”
Broadcom’s cybersecurity team noted that this tactic of bundling defensive evasion components within ransomware payloads is not new and was also observed in the 2020 Ryuk ransomware attack and in late August 2025 in an incident involving a lesser-known ransomware family called Obscura.
In the Reynolds campaign, the ransomware is designed to drop vulnerable NsecSoft NSecKrnl drivers and terminate processes associated with various security programs including Avast, CrowdStrike Falcon, Palo Alto Networks Cortex XDR, Sophos (along with HitmanPro.Alert), and Symantec Endpoint Protection.
Please note that the NSecKrnl driver is susceptible to a known security flaw (CVE-2025-68947, CVSS score: 5.7) that can be exploited to terminate arbitrary processes. Specifically, this driver has been used by an attacker known as Silver Fox in attacks aimed at subverting endpoint security tools prior to ValleyRAT delivery.
Over the past year, the hacker group has exploited multiple legitimate but flawed drivers, including truesight.sys and amsdk.sys, as part of BYOVD attacks to disarm security programs.
Combining defense evasion and ransomware functionality into one component makes it difficult for defenders to thwart attacks, not to mention eliminating the need for affiliates to separately incorporate this step into their schemes.
Symantec and Carbon Black said: “A notable aspect of this attack campaign is the presence of a suspicious sideloading loader on the target network several weeks before the ransomware was deployed.” “What was notable about this attack campaign was the presence of a suspicious sideloading loader on the target network several weeks before the ransomware was deployed.”
Another tool deployed to the target network the day after the ransomware deployment was the GotoHTTP remote access program, indicating that the attackers may be attempting to maintain permanent access to the compromised hosts.
“BYOVD is popular with attackers due to its effectiveness and reliance on legitimately signed files, which are less likely to raise red flags,” the company said.
“The benefits of wrapping defense evasion functionality into a ransomware payload and the reasons why ransomware attackers do this may include the fact that packaging defense evasion binaries and ransomware payloads together is “quieter” without dropping separate external files onto the victim’s network. ”
This discovery is consistent with various ransomware-related developments in recent weeks.
A large-scale phishing campaign used an email with a Windows shortcut (LNK) attached to execute PowerShell code that retrieved the Phorpiex dropper, which was then used to deliver the GLOBAL GROUP ransomware. This ransomware is notable for performing all activities locally on the compromised system, making it compatible with air-gapped environments. Also, we do not leak data. The attack launched by WantToCry exploits virtual machines (VMs) provisioned by ISPsystem, a legitimate virtual infrastructure management provider, to host malicious payloads and deliver them at scale. Some of the hostnames have been identified within the infrastructure of multiple ransomware operators including LockBit, Qilin, Conti, BlackCat, and Ursnif, as well as in various malware campaigns involving NetSupport RAT, PureRAT, Lampion, Lumma Stealer, and RedLine Stealer. Bulletproof hosting providers have been credited with leasing ISPsystem virtual machines to other criminals for use in ransomware operations and malware distribution by exploiting design weaknesses in VMmanager’s default Windows templates, which reuse the same static hostname and system identifier each time it is deployed. This could allow an attacker to set up thousands of VMs with the same hostname, complicating removal efforts. As part of our continued professionalization of ransomware operations, DragonForce has created an “Enterprise Data Audit” service to support affiliates during extortion campaigns. “The audit will include a detailed risk report, prepared communication materials such as call scripts and executive-level letters, and strategic guidance aimed at influencing negotiations,” Level Blue said. DragonForce operates as a cartel that allows affiliates to create their own brands while operating under its umbrella and accessing its resources and services. LockBit’s latest version, LockBit 5.0, uses ChaCha20 to encrypt files and data across Windows, Linux, and ESXi environments. This is a transition from the AES-based encryption approach of LockBit 2.0 and LockBit 3.0. In addition, the new version features a wiper component, an option to delay pre-encryption execution, tracking the status of encryption using a progress bar, improved anti-analysis techniques to avoid detection, and enhanced in-memory execution to minimize disk traces. The Interlock ransomware group continues to attack UK and US-based organizations, particularly in the education sector, and in one case leveraged a zero-day vulnerability (CVE-2025-61155, CVSS score: 5.5) in the gaming anti-cheat driver GameDriverx64.sys to disable security tools in a BYOVD attack. The attack also featured the deployment of the NodeSnake/Interlock RAT (also known as CORNFLAKE) to steal sensitive data, with initial access said to have come from a MintLoader infection. Ransomware operators are increasingly observed to shift their focus from traditional on-premises targets to misconfigured S3 buckets used by cloud storage services, particularly Amazon Web Services (AWS), with attacks taking advantage of native cloud capabilities to delete or overwrite data, suspend access, and extract sensitive content while remaining unnoticed.
According to Cyble data, GLOBAL GROUP is one of many ransomware teams to emerge in 2025, others include Devman, DireWolf, NOVA, J group, Warlock, BEAST, Sinobi, NightSpire, and The Gentlemen. According to ReliaQuest, in the fourth quarter of 2025 alone, the number of Sinobi data breach site listings increased by 306%, making it the third most active ransomware group after Qilin and Akira.
“Meanwhile, the return of LockBit 5.0 was one of the biggest changes in the fourth quarter, brought on by a late-quarter surge when the group listed 110 organizations in December alone,” said researcher Gowtham Ashok. “This output demonstrates a group that can quickly scale execution, convert intrusions into impact, and maintain an affiliate pipeline that can operate at high volume.”
The emergence of new players, combined with partnerships forged between existing groups, has led to a surge in ransomware activity. Ransomware attackers claimed a total of 4,737 attacks in 2025, up from 4,701 in 2024. The number of attacks that do not involve encryption and rely purely on data theft as a means of exerting pressure reached 6,182 attacks over the same period, an increase of 23% from 2024.
As for the average ransom payment, that amount was $591,988 in Q4 2025, a 57% increase from Q3 2025 due to a small number of “outsized settlements,” Coveware said in its quarterly report last week, adding that attackers may return to their “roots in data encryption” in search of more effective leverage to extract ransom money from victims.
Source link
