CYBERSECURITY researchers have disclosed Reynolds, a new ransomware family that comes with a built‑in BYOVD component to evict security tools. The payload drops a vulnerable NsecSoft NSecKrnl driver and terminates processes tied to Avast, CrowdStrike Falcon, Palo Alto Networks Cortex XDR, Sophos (and HitmanPro[.]Alert), and Symantec Endpoint Protection, among others.
The NSecKrnl driver is susceptible to a known flaw (CVE-2025-68947, CVSS 5.7) that could be exploited to terminate arbitrary processes, and the driver has previously been used by a threat actor known as Silver Fox in ValleyRAT campaigns. According to the Symantec and Carbon Black Threat Hunter Team, bundling the defense‑evading component with the ransomware payload is a departure from the usual approach of deploying a separate tool beforehand.
Broadly, the technique of mixing BYOVD with ransomware has been observed in past campaigns, but Reynolds’ integration within the ransomware itself makes it harder for defenders to stop the attack.