Reynolds ransomware BYOVD defense-evasion activity
Malware Activity
Summary
Hide ▲
Show ▼
The Reynolds ransomware family now matters because it bundles a vulnerable NsecSoft NSecKrnl driver inside the payload to disable EDR and terminate security processes during attacks. The driver is tied to CVE-2025-68947, which can be used to kill arbitrary processes, making the malware harder to detect and stop. Researchers said the driver is delivered as part of the ransomware itself rather than as a separate pre-positioning tool.
Related Happenings
GodDamn ransomware PoisonX BYOVD activity
Malware Activity
H score15
First: 09.07.2026 13:43
Last: 09.07.2026 13:43
Sources 1
About this happening:
The **GodDamn** ransomware family is using the **PoisonX** kernel driver to disable endpoint defenses during attacks, increasing the risk of **credential theft**, **lateral moveme...
GodDamn ransomware PoisonX BYOVD activity
Malware ActivityAbout this happening: The **GodDamn** ransomware family is using the **PoisonX** kernel driver to disable endpoint defenses during attacks, increasing the risk of **credential theft**, **lateral moveme...
Avalon modular malware framework with CrownX ransomware
Malware Activity
H score33
First: 03.07.2026 21:55
Last: 03.07.2026 21:55
Sources 1
About this happening:
The **Avalon** malware framework was uncovered after a **multi-stage phishing chain** that can bypass traditional security controls and deliver **credential theft** plus **ransomw...
Avalon modular malware framework with CrownX ransomware
Malware ActivityAbout this happening: The **Avalon** malware framework was uncovered after a **multi-stage phishing chain** that can bypass traditional security controls and deliver **credential theft** plus **ransomw...
Gentlemen ransomware EDR-killer tooling
Malware Activity
H score35
First: 19.06.2026 01:31
Last: 19.06.2026 01:31
Sources 1
About this happening:
**Gentlemen ransomware-as-a-service (RaaS)** is actively maintaining a suite of **EDR killers** led by **GentleKiller** to disable endpoint defenses before encryption. ESET says t...
Gentlemen ransomware EDR-killer tooling
Malware ActivityAbout this happening: **Gentlemen ransomware-as-a-service (RaaS)** is actively maintaining a suite of **EDR killers** led by **GentleKiller** to disable endpoint defenses before encryption. ESET says t...
INC ransomware encryptors rewritten in Rust
Malware Activity
H score38
First: 18.06.2026 17:12
Last: 18.06.2026 17:12
Sources 1
About this happening:
INC's **Windows** and **Linux/ESXi encryptors** were rewritten in **Rust**, improving cross-platform development and making reverse engineering harder. The malware line also gaine...
INC ransomware encryptors rewritten in Rust
Malware ActivityAbout this happening: INC's **Windows** and **Linux/ESXi encryptors** were rewritten in **Rust**, improving cross-platform development and making reverse engineering harder. The malware line also gaine...
AI-built ransomware toolkit with AD discovery and EDR evasion
Malware Activity
H score36
First: 02.06.2026 23:01
Last: 02.06.2026 23:01
Sources 1
About this happening:
A **customer-detected** AI-built ransomware toolkit is automating **Active Directory discovery** and **EDR evasion**, increasing the chance that payloads slip past security contro...
AI-built ransomware toolkit with AD discovery and EDR evasion
Malware ActivityAbout this happening: A **customer-detected** AI-built ransomware toolkit is automating **Active Directory discovery** and **EDR evasion**, increasing the chance that payloads slip past security contro...
Timeline
-
10.02.2026 16:36 2 articles · 4mo ago
Reynolds ransomware bundles a vulnerable driver
Initial DisclosureReynolds ransomware bundles a vulnerable NsecSoft NSecKrnl driver inside the payload to carry out BYOVD defense evasion, disable Endpoint Detection and Response (EDR), and terminate security processes on affected systems. The driver is linked to CVE-2025-68947, CVSS score: 5.7, and the targeting described includes Avast, CrowdStrike Falcon, Palo Alto Networks Cortex XDR, Sophos with HitmanPro.Alert, and Symantec Endpoint Protection.
Show sources
- Reynolds Ransomware Embeds BYOVD Driver to Disable EDR Security Tools — thehackernews.com — 10.02.2026 16:36
- Reynolds Ransomware Embeds BYOVD Driver to Disable EDR Security Tools — thehackernews.com — 10.02.2026 16:36