Reynolds Ransomware Embeds BYOVD Driver to Disable EDR Security Tools
These articles are AI-generated summaries. Please check the original sources for full details.
Reynolds Ransomware Embeds BYOVD Driver to Disable EDR Security Tools
The Reynolds ransomware has been found to embed a built-in bring your own vulnerable driver (BYOVD) component, allowing it to evade Endpoint Detection and Response (EDR) solutions, with the vulnerable NsecSoft NSecKrnl driver being exploited to terminate processes associated with various security programs. This tactic has been observed in other ransomware attacks, including Ryuk and Obscura, and is a significant development in the ongoing cat-and-mouse game between ransomware actors and cybersecurity professionals.
Why This Matters
The use of BYOVD by Reynolds ransomware highlights the technical reality that legitimate but flawed drivers can be exploited to disable security software, making it harder for defenders to stop the attack. This approach is particularly effective because it relies on signed files that are less likely to raise red flags, and it can be used to evade detection by EDR solutions. The cost of such attacks can be significant, with the average ransom payment standing at $591,988 in Q4 2025, a 57% jump from Q3 2025.
Key Insights
- The Reynolds ransomware embeds a vulnerable BYOVD driver to kill EDR defenses, with a CVSS score of 5.7 (CVE-2025-68947).
- The use of BYOVD is a popular tactic among ransomware actors due to its effectiveness and reliance on legitimate, signed files.
- The packaging of defense evasion capabilities with the ransomware payload makes it harder for defenders to stop the attack, as it eliminates the need for a separate external file to be dropped on the victim network.
Practical Applications
- Use Case: The Reynolds ransomware campaign demonstrates the use of BYOVD to disable EDR security tools, allowing the attackers to maintain persistence on the compromised hosts.
- Pitfall: The use of legitimate but flawed drivers can be exploited by ransomware actors to evade detection, highlighting the need for continuous monitoring and updating of security software.
References:
Continue reading
Next article
Securing Claude Code with Pipelock
Related Content
Osiris Ransomware Leverages POORTRY Driver in Novel BYOVD Attack
The newly discovered Osiris ransomware strain utilized a custom POORTRY driver in a Bring Your Own Vulnerable Driver (BYOVD) attack, resulting in data theft and security tool disabling in November 2025.
U.S. Prosecutors Indict Cybersecurity Insiders for BlackCat Ransomware Attacks
Federal prosecutors in the U.S. have indicted three cybersecurity professionals for orchestrating BlackCat ransomware attacks on five companies between May and November 2023, highlighting the risks of insider threats in the cybersecurity sector.
Gainsight Expands Impacted Customer List Following Salesforce Security Alert
Gainsight reveals expanded breach affecting 'a handful' of customers linked to ShinyHunters' AI-tuned ShinySp1d3r ransomware.