Reynolds Ransomware Integrates BYOVD Driver for EDR Evasion

First reported

10.02.2026 16:36

Last updated

1 unique sources, 1 articles

Summary

Hide ▲

A new ransomware family, Reynolds, has been discovered with a built-in Bring Your Own Vulnerable Driver (BYOVD) component designed to disable Endpoint Detection and Response (EDR) security tools. The ransomware embeds the NsecSoft NSecKrnl driver, which is vulnerable to a known flaw (CVE-2025-68947), to terminate processes associated with various security programs. This integration allows the ransomware to evade detection and maintain persistence on compromised systems. The Reynolds ransomware campaign also involved the deployment of a suspicious side-loaded loader and the GotoHTTP remote access program, indicating a sophisticated attack strategy.

Timeline

10.02.2026 16:36 1 articles · 8h ago

Reynolds Ransomware Integrates BYOVD Driver for EDR Evasion
A new ransomware family, Reynolds, has been discovered with a built-in Bring Your Own Vulnerable Driver (BYOVD) component designed to disable Endpoint Detection and Response (EDR) security tools. The ransomware embeds the NsecSoft NSecKrnl driver, which is vulnerable to a known flaw (CVE-2025-68947), to terminate processes associated with various security programs. This integration allows the ransomware to evade detection and maintain persistence on compromised systems.
Show sources

Reynolds Ransomware Embeds BYOVD Driver to Disable EDR Security Tools — thehackernews.com — 10.02.2026 16:36
Open in new tab

Information Snippets

Reynolds ransomware embeds the NsecSoft NSecKrnl driver to disable EDR tools.
First reported: 10.02.2026 16:36

1 source, 1 article
Show sources
- Reynolds Ransomware Embeds BYOVD Driver to Disable EDR Security Tools — thehackernews.com — 10.02.2026 16:36
The NSecKrnl driver is vulnerable to CVE-2025-68947, which allows arbitrary process termination.
First reported: 10.02.2026 16:36

1 source, 1 article
Show sources
- Reynolds Ransomware Embeds BYOVD Driver to Disable EDR Security Tools — thehackernews.com — 10.02.2026 16:36
The ransomware targets security programs from Avast, CrowdStrike, Palo Alto Networks, Sophos, and Symantec.
First reported: 10.02.2026 16:36

1 source, 1 article
Show sources
- Reynolds Ransomware Embeds BYOVD Driver to Disable EDR Security Tools — thehackernews.com — 10.02.2026 16:36
The attack campaign included a side-loaded loader and GotoHTTP remote access program.
First reported: 10.02.2026 16:36

1 source, 1 article
Show sources
- Reynolds Ransomware Embeds BYOVD Driver to Disable EDR Security Tools — thehackernews.com — 10.02.2026 16:36
BYOVD techniques are popular among attackers due to their effectiveness and use of legitimate, signed files.
First reported: 10.02.2026 16:36

1 source, 1 article
Show sources
- Reynolds Ransomware Embeds BYOVD Driver to Disable EDR Security Tools — thehackernews.com — 10.02.2026 16:36