Cybersecurity researchers disclosed a new ransomware family called Reynolds that bundles a vulnerable NsecSoft NSecKrnl driver intended to disable endpoint detection and response tools. The driver is associated with CVE-2025-68947 and has a CVSS score of 5.7.
KEY FACTS
- Incident Reynolds ransomware embeds a BYOVD component inside its payload
- Technique Drops a vulnerable NsecSoft NSecKrnl driver to kill EDR processes
- Vulnerability CVE-2025-68947 affects the NSecKrnl driver, CVSS 5.7
- Targets Attempts to terminate processes for multiple endpoint products
A report by Symantec and Carbon Black Threat Hunter Team said the Reynolds payload drops the NsecSoft NSecKrnl driver and attempts to terminate processes for security products including Avast, CrowdStrike Falcon, Palo Alto Networks Cortex XDR, Sophos with HitmanPro.Alert, and Symantec Endpoint Protection.
The campaign embeds the BYOVD component inside the ransomware so the vulnerable, signed driver is delivered and invoked without a separate tool. The tactic avoids placing a distinct external binary on the victim network.
The tactic of abusing legitimate but flawed drivers to disable endpoint security has been observed before, including in attacks by Ryuk in 2020 and in an Obscura incident in 2025. Embedding the driver with the ransomware reduces steps for operators and affiliates.
The intrusion on the observed victim included a suspicious side-loaded loader present several weeks before the ransomware. GotoHTTP was deployed on the network one day after the ransomware, indicating the actor sought persistent access.
WHY IT MATTERS
The combination of a signed but vulnerable driver and a ransomware payload makes detection and interruption more difficult for defenders. Patching known driver flaws and monitoring for side-loaded or bundled drivers can reduce exposure.