RESEARCHERS have identified Reynolds ransomware, which uses the Bring Your Own Vulnerable Driver (BYOVD) technique to disable security tools before encryption. The campaign embeds a vulnerable NsecSoft driver inside its payload, dropping the NSecKrnl driver and creating a service to run it, then exploiting the driver’s flaw (CVE-2025-68947) to terminate security processes.
This enables the ransomware to kill protections from major defence tools such as Sophos, Symantec, Microsoft Defender, CrowdStrike, ESET and Avast. Broadcom’s researchers initially attributed the attack to Black Basta due to similar tactics, but further analysis confirmed Reynolds as the payload.
The report notes that the NSecKrnl driver is a Windows kernel‑mode driver with a known critical security vulnerability that allows a local, authenticated attacker to terminate processes owned by other users by issuing crafted IOCTL requests to the driver. In 2026, BYOVD remains a common defence‑evasion tactic as ransomware groups increasingly embed capabilities directly in their payloads to reduce steps and speed up attacks, a trend highlighted in the analysis. According to the report published by Broadcom, embedding more capabilities into the ransomware payload may also help attract affiliates.