Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

Reynolds ransomware BYOVD defense-evasion activity

Malware Activity
First reported
Last updated
Happening score
H score 24
1 unique sources, 1 articles

Summary

Hide ▲

The Reynolds ransomware family now matters because it bundles a vulnerable NsecSoft NSecKrnl driver inside the payload to disable EDR and terminate security processes during attacks. The driver is tied to CVE-2025-68947, which can be used to kill arbitrary processes, making the malware harder to detect and stop. Researchers said the driver is delivered as part of the ransomware itself rather than as a separate pre-positioning tool.

Related Happenings

2025 Automotive carmakers ransomware surge

Target Trend
First: 16.04.2026 11:35 Last: 16.04.2026 11:35 Sources 1

About this happening: In **2025**, ransomware became the **fastest-growing** and most disruptive threat to **automotive carmakers**, accounting for **44% of attacks** and **more than doubling** over th...

Open Happening

Halcyon automotive ransomware mitigation guidance

Advisory/Mitigation
First: 16.04.2026 11:35 Last: 16.04.2026 11:35 Sources 1

About this happening: **Halcyon** urged **automotive sector IT teams** to harden their environments against a **ransomware threat** that is pressuring carmakers and their suppliers. The guidance priori...

Open Happening

Medusa ransomware post-compromise deployment

Malware Activity
First: 07.04.2026 09:35 Last: 07.04.2026 09:35 Sources 1

About this happening: **Medusa ransomware** is being deployed rapidly after initial access, turning intrusions into fast-moving extortion events and shrinking defenders' response time. The malware acti...

Open Happening

Beast ransomware group’s RaaS model and shared TTPs exposed through an open server

Threat Actor Meta
First: 20.03.2026 18:31 Last: 20.03.2026 18:31 Sources 1

About this happening: An exposed **Beast ransomware group** server now shows its **RaaS operating model** and reusable toolset, complicating attribution across ransomware crews. The recovered materials...

Open Happening

EDR killer BYOVD analysis finds 54 tools abusing 34 vulnerable drivers

Technical Analysis
First: 19.03.2026 20:52 Last: 19.03.2026 20:52 Sources 1

About this happening: **54 EDR killers** were found abusing **BYOVD** through **34 vulnerable drivers**, showing how ransomware operators can **disable endpoint defenses** before encryption. The findin...

Open Happening

Timeline

  1. 10.02.2026 16:36 2 articles · 3mo ago

    Reynolds ransomware bundles a vulnerable driver

    Initial Disclosure

    Reynolds ransomware bundles a vulnerable NsecSoft NSecKrnl driver inside the payload to carry out BYOVD defense evasion, disable Endpoint Detection and Response (EDR), and terminate security processes on affected systems. The driver is linked to CVE-2025-68947, CVSS score: 5.7, and the targeting described includes Avast, CrowdStrike Falcon, Palo Alto Networks Cortex XDR, Sophos with HitmanPro.Alert, and Symantec Endpoint Protection.

    Show sources
    Open in new tab