New Ransomware Innovation
A newly discovered ransomware strain dubbed Reynolds is raising alarms across the security community for its novel approach to defense evasion. Unlike previous BYOVD (Bring Your Own Vulnerable Driver) attacks that dropped a separate tool, Reynolds packages the vulnerable driver and ransomware payload together in a single binary — making attacks quieter and faster.
How It Works
| Stage | Description |
|---|---|
| Delivery | Standard initial access via phishing or exploited VPN |
| Driver Load | Embeds the vulnerable NsecSoft NsecKrnl driver (CVE-2025-68947) |
| EDR Kill | Uses the kernel-level driver to terminate security processes |
| Encryption | Encrypts files after defenses are disabled |
Targeted EDR Products
The Reynolds payload targets and kills processes from:
- CrowdStrike Falcon
- Sophos Intercept X
- Microsoft Defender for Endpoint
- Symantec Endpoint Protection
- ESET NOD32
- Avast/AVG
Why This Matters
Previous BYOVD techniques required attackers to deploy a separate driver-loading tool before executing the ransomware — a two-stage process that gave defenders more detection opportunities. Reynolds eliminates this gap by combining both stages into a single payload, significantly reducing the window for detection.
The bundled approach means:
- Fewer artifacts on disk for EDR to catch
- Shorter dwell time between driver load and encryption
- Single execution rather than multi-stage deployment
Defensive Recommendations
- Implement driver blocklist policies via Windows Defender Application Control (WDAC) or Microsoft's recommended driver block rules
- Monitor for vulnerable driver loading — the NsecKrnl driver hash should be blocked at the kernel level
- Enable tamper protection on all endpoint security products
- Deploy application whitelisting to prevent unauthorized executables
- Maintain offline backups tested regularly for restoration
Indicators of Compromise
Security teams should monitor for:
- NsecKrnl driver loading events (Event ID 6, Sysmon)
- Rapid termination of multiple security service processes
- Service Control Manager events showing EDR services stopping unexpectedly
Reynolds represents an evolution in ransomware tactics. Organizations relying solely on EDR for protection should implement defense-in-depth strategies including driver blocklists and application control policies.