Cybersecurity researchers have unveiled a new ransomware family, dubbed Reynolds, that integrates a potent defense evasion technique directly within its payload. This novel approach bundles a bring your own vulnerable driver (BYOVD) component, allowing the ransomware to disable security software and operate undetected. This development marks a significant evolution in ransomware attack methodologies, posing new challenges for cybersecurity defenses.
The Reynolds ransomware employs a vulnerable NsecSoft NSecKrnl driver, identified by researchers as susceptible to a known security flaw (CVE-2025-68947). This driver is utilized to terminate processes associated with a wide array of endpoint security solutions, including those from Avast, CrowdStrike Falcon, Palo Alto Networks Cortex XDR, Sophos, and Symantec Endpoint Protection. By embedding this capability, the ransomware streamlines the attack process, eliminating the need for attackers to deploy separate tools for disabling defenses.
Reynolds Ransomware Integrates BYOVD for Enhanced Evasion
The integration of a BYOVD component directly into the ransomware payload is a notable characteristic of the Reynolds campaign. Typically, BYOVD attacks involve deploying a distinct tool to exploit a flawed driver before the ransomware is unleashed. However, Reynolds foregoes this separation, consolidating the defense evasion and encryption functionalities into a single, more potent package. This streamlining not only enhances the attack’s efficiency but also makes it more difficult for security analysts to detect and intercept.
This integrated approach, while novel in its direct bundling by Reynolds, is not entirely unprecedented. Broadcom’s cybersecurity teams noted similar tactics in past attacks, including an incident involving the Ryuk ransomware in 2020 and a lesser-known family called Obscura in late August 2025. These instances suggest a growing trend among ransomware actors to consolidate attack techniques for maximum impact and stealth.
The NsecKrnl driver exploited by Reynolds has a history of being used in such attacks. Threat actor Silver Fox, for instance, has previously leveraged this driver to disable endpoint security tools before deploying the ValleyRAT malware. The vulnerability (CVE-2025-68947) has a CVSS score of 5.7, indicating a moderate severity that is nonetheless exploitable for terminating arbitrary processes and dismantling security measures.
The Reynolds hacking group has previously demonstrated proficiency in using legitimate but flawed drivers for BYOVD attacks. In the past year, they have utilized drivers such as truesight.sys and amsdk.sys to disarm security programs. The current campaign, by packaging the BYOVD capability with the ransomware, presents a “quieter” and more efficient attack vector, as it avoids dropping an external file onto the victim’s network specifically for defense evasion.
Further investigation into the Reynolds campaign revealed the presence of a suspicious side-loaded loader on the target network several weeks before the ransomware deployment. Additionally, the GotoHTTP remote access program was deployed on the compromised network a day after the ransomware execution. These findings suggest that the attackers aim to establish persistent access to the compromised hosts, potentially for further malicious activities or prolonged access.
Broader Trends in Ransomware Activity
The emergence of Reynolds ransomware aligns with a broader surge in ransomware activity and evolving tactics observed across the threat landscape. Several recent developments highlight significant shifts and innovations:
Key Ransomware Developments in Recent Weeks:
Recent weeks have seen a wave of diverse ransomware-related activities, indicating an increasingly dynamic and aggressive threat environment. High-volume phishing campaigns, such as those using Windows shortcut (LNK) attachments to deploy Phorpiex droppers responsible for delivering the GLOBAL GROUP ransomware, demonstrate the continued reliance on social engineering. The GLOBAL GROUP ransomware is particularly noteworthy for its ability to operate locally on compromised systems, making it effective even in air-gapped environments and without exfiltrating data.
The WantToCry group has been observed abusing virtual machines (VMs) provisioned by ISPsystem, a legitimate virtual infrastructure management provider. This tactic allows for the large-scale hosting and delivery of malicious payloads. Identified hostnames within this infrastructure have been linked to multiple ransomware operators, including LockBit, Qilin, Conti, BlackCat, and Ursnif, as well as various malware campaigns involving NetSupport RAT, PureRAT, Lampion, Lumma Stealer, and RedLine Stealer. Bulletproof hosting providers are believed to be leasing these ISPsystem VMs to other criminal actors, exploiting a design weakness in VMmanager’s default Windows templates that reuse static hostnames and system identifiers. This reuse complicates takedown efforts by enabling threat actors to set up thousands of VMs with identical identifiers.
Professionalization within ransomware operations is also on the rise. The DragonForce group has introduced a “Company Data Audit” service to assist affiliates during extortion campaigns. This service includes detailed risk reports, communication materials, and strategic negotiation guidance. DragonForce operates as a cartel, allowing affiliates to brand their operations under its umbrella while accessing its resources.
The latest iteration of LockBit, LockBit 5.0, has adopted ChaCha20 encryption for Windows, Linux, and ESXi environments, a departure from its previous AES-based encryption. This new version also includes a wiper component, delayed execution options, an encryption progress bar, enhanced anti-analysis techniques, and improved in-memory execution. The Interlock ransomware group continues its attacks on UK and US organizations, especially in the education sector, leveraging a zero-day vulnerability in the “GameDriverx64.sys” gaming anti-cheat driver (CVE-2025-61155) for BYOVD attacks. These attacks involve deploying the NodeSnake/Interlock RAT (aka CORNFLAKE) for data theft, with initial access often originating from a MintLoader infection.
Ransomware operators are increasingly shifting their focus from traditional on-premises targets to cloud storage services, particularly misconfigured Amazon Web Services (AWS) S3 buckets. Attacks in this domain leverage native cloud features to delete, overwrite, or extract data while remaining undetected.
Ransomware Landscape in 2025 and Beyond
The year 2025 has seen the emergence of new ransomware groups, including GLOBAL GROUP, Devman, DireWolf, NOVA, J group, Warlock, BEAST, Sinobi, NightSpire, and The Gentlemen, according to data from Cyble. Sinobi demonstrated significant growth in Q4 2025, with a 306% increase in data leak site listings, making it the third-most active group. The return of LockBit 5.0 was a major development in Q4, with the group listing 110 organizations in December alone, indicating a capability for rapid scaling and sustained affiliate operations.
The combination of new entrants and partnerships among existing groups has contributed to a spike in ransomware attacks. In 2025, ransomware operators claimed a total of 4,737 attacks, a slight increase from 4,701 in 2024. Furthermore, attacks focusing solely on data theft without encryption reached 6,182, marking a 23% increase from the previous year. The average ransom payment in Q4 2025 stood at $591,988, a 57% jump from Q3 2025, driven by a few substantial ransom demands. This trend may prompt threat actors to return to data encryption practices for more effective leverage.
The ongoing evolution of ransomware, exemplified by the Reynolds family’s integrated BYOVD approach, underscores the persistent need for robust cybersecurity measures. Continued vigilance, proactive threat hunting, and the adoption of advanced defense strategies will be crucial in mitigating the impact of these increasingly sophisticated attacks in the coming months.