"Cybersecurity researchers have disclosed details of an emergent ransomware family dubbed Reynolds that comes embedded with a built-in bring your own vulnerable driver (BYOVD) component for defense evasion purposes within the ransomware payload itself. BYOVD refers to an adversarial technique that abuses legitimate but flawed driver software to escalate privileges and disable Endpoint Detection and Response (EDR) solutions so that malicious activities go unnoticed. The strategy has been adopted by many ransomware groups over the years."
""Normally, the BYOVD defense evasion component of an attack would involve a distinct tool that would be deployed on the system prior to the ransomware payload in order to disable security software," the Symantec and Carbon Black Threat Hunter Team said in a report shared with The Hacker News. "However, in this attack, the vulnerable driver (an NsecSoft NSecKrnl driver) was bundled with the ransomware itself.""
Reynolds ransomware contains a built-in bring your own vulnerable driver (BYOVD) module that abuses legitimate but flawed driver software to escalate privileges and evade Endpoint Detection and Response (EDR). The payload drops an NsecSoft NSecKrnl driver and targets processes for security products including Avast, CrowdStrike Falcon, Palo Alto Networks Cortex XDR, Sophos (and HitmanPro.Alert), and Symantec Endpoint Protection. The NSecKrnl driver is vulnerable to CVE-2025-68947 (CVSS 5.7), enabling termination of arbitrary processes. Bundling a vulnerable driver inside ransomware mirrors tactics used in prior Ryuk and Obscura incidents and has been previously leveraged by actors like Silver Fox in ValleyRAT-related attacks.
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]