Reynolds Ransomware Bundles EDR-Killing Driver Into Payload

A new ransomware family called Reynolds ships with a built-in EDR killer. Unlike previous campaigns where attackers deployed Bring Your Own Vulnerable Driver (BYOVD) tools as separate components, Reynolds bundles the vulnerable driver directly into its ransomware payload—making attacks quieter and harder to detect.

Broadcom's security researchers initially mistook the campaign for Black Basta activity due to overlapping tactics, but analysis confirmed Reynolds as a distinct ransomware family with its own payload and infrastructure.

How Reynolds Kills Your EDR

Reynolds exploits CVE-2025-68947, a flaw in the NsecSoft NSecKrnl driver that allows termination of arbitrary processes. The driver is legitimate software signed with valid certificates—Windows loads it without complaint. Once running in kernel mode, Reynolds uses the driver to systematically kill security products.

The targeted security tools include:

• Avast
• CrowdStrike Falcon
• Palo Alto Networks Cortex XDR
• Sophos and HitmanPro.Alert
• Symantec Endpoint Protection

The NSecKrnl driver isn't new to threat actors. Silver Fox APT previously exploited it to disable endpoint protection before deploying ValleyRAT in campaigns against Asian targets. What's new is embedding the driver directly inside ransomware, eliminating the need for a separate tool that defenders might catch during the pre-encryption phase.

Why Bundling Matters

Traditional BYOVD attacks follow a predictable pattern: initial access, reconnaissance, then deployment of an EDR-killing tool followed by ransomware. Security teams sometimes catch the driver-based attack before encryption starts, giving them a window to respond.

Reynolds collapses that timeline. The ransomware arrives with defense evasion built in. By the time the malicious driver loads and starts killing processes, encryption is seconds away. There's no gap between "EDR disabled" and "files encrypted"—they happen as a single coordinated attack.

Security researchers warn this approach could become standard. If one ransomware group succeeds by embedding BYOVD capabilities, competitors will follow. The technique reduces operational complexity for attackers while shrinking the response window for defenders.

Attack Chain Observations

The Security.com analysis documented the full attack sequence. Weeks before Reynolds executed, attackers deployed a suspicious side-loaded loader on victim systems—establishing persistence and reconnaissance capabilities. The loader likely gathered information about installed security products to ensure Reynolds would target the right processes.

Post-encryption, the attackers deployed GotoHTTP, a remote access tool, for persistent access. This suggests Reynolds operators aren't purely opportunistic; they're establishing long-term footholds in victim networks for potential follow-up attacks or data exfiltration.

Detection and Prevention

Blocking vulnerable drivers is the most direct mitigation. Microsoft's vulnerable driver blocklist can prevent known-bad drivers from loading, though it requires configuration and doesn't cover every exploitable driver. Organizations running Windows 11 22H2 or later with memory integrity enabled get some protection, as Hypervisor-Protected Code Integrity (HVCI) blocks many unsigned and known-vulnerable drivers.

For EDR solutions, vendors are racing to add tamper protection that survives kernel-level attacks. CrowdStrike and Palo Alto have both released updates addressing BYOVD-based termination attempts, but these require the latest agent versions.

The fundamental challenge remains: Windows trusts signed drivers, and the NSecKrnl driver has valid signatures. Until Microsoft expands its vulnerable driver blocklist or vendors implement hardware-backed tamper protection, BYOVD attacks will remain viable.

What Defenders Should Do

1. Enable memory integrity on Windows 11 systems where compatible
2. Deploy Microsoft's vulnerable driver blocklist via Windows Defender Application Control
3. Update EDR agents to the latest versions with anti-tampering improvements
4. Monitor for driver loading events in security logs—new drivers loading outside maintenance windows are suspicious
5. Review incident response playbooks for scenarios where EDR fails silently

Reynolds demonstrates where ransomware is heading. The commoditization of EDR-killing techniques means even less sophisticated groups can now deploy defenses-aware malware. Organizations that rely solely on endpoint detection need backup plans for when that detection fails. For a comprehensive overview of ransomware defense strategies, see our guide to ransomware protection.