This Ransomware Kills Your Security Software Before You Know It Is There

A New Kind of Ransomware Payload

Ransomware operators have long used a technique called Bring Your Own Vulnerable Driver, or BYOVD, to disable security tools before encrypting files. The idea is simple: load a legitimate but flawed driver onto the victim's machine, then exploit that driver's vulnerability to kill endpoint detection and response (EDR) software.

What makes Reynolds different is how it delivers the driver. Instead of dropping it as a separate file, Reynolds embeds the vulnerable driver directly inside the ransomware payload. One file does both jobs: disabling security and encrypting data.

Broadcom researchers disclosed the new ransomware family in February 2026, calling the bundled approach a significant evolution in ransomware design.

How the Attack Works

Reynolds uses the NsecSoft NSecKrnl driver, a legitimate piece of software that contains a known vulnerability tracked as CVE-2025-68947 (CVSS 5.7). This driver flaw allows any process running with sufficient privileges to terminate arbitrary other processes on the system.

The attack chain works like this:

• An attacker gains initial access to a network, often through phishing or stolen credentials
• A suspicious side loaded loader is deployed weeks before the ransomware, establishing persistence
• When the time comes, Reynolds executes as a single binary
• The embedded driver loads and immediately begins terminating security processes
• With EDR software dead, the ransomware encrypts files without interference
• GotoHTTP is deployed for persistent remote access after encryption

The entire sequence from driver loading to encryption happens without dropping a second file. Traditional detection methods that look for suspicious driver files appearing on disk miss it entirely.

Which Security Products Get Killed

Reynolds specifically targets processes belonging to major enterprise security vendors:

• CrowdStrike Falcon, one of the most widely deployed EDR platforms
• Palo Alto Networks Cortex XDR, a leading extended detection and response tool
• Sophos and HitmanPro.Alert
• Symantec Endpoint Protection
• Avast antivirus

These are not fringe products. They protect millions of corporate endpoints worldwide. When the driver terminates their processes, the machine is effectively unguarded.

Why Bundling Changes the Game

In a traditional BYOVD attack, the vulnerable driver is dropped as a separate file before the ransomware runs. This creates two detection opportunities: security software can flag the driver when it appears and can detect the ransomware payload separately.

Reynolds eliminates the gap between these two events. By packaging both components in a single binary:

• There is no window for defenders to detect the driver before the attack begins
• Fewer files on disk means fewer artifacts for forensics teams to find
• The attack is simpler for affiliates to execute, lowering the skill barrier
• Behavioral detection tools have less time to respond

This approach first appeared in Ryuk attacks back in 2020 and surfaced again with Obscura ransomware in August 2025. Reynolds represents the latest iteration of a trend that is steadily becoming the standard playbook.

The BYOVD Problem Is Getting Worse

The fundamental issue is that Windows trusts signed drivers, even ones with known vulnerabilities. Attackers do not need to find new bugs. They just need to find an old driver that was legitimately signed but has a known flaw, and the operating system will happily load it.

Microsoft maintains a vulnerable driver blocklist, but it requires manual updates and does not cover every exploitable driver. The NSecKrnl driver used by Reynolds was known to be vulnerable, but it was not blocked on all systems.

Until operating systems stop trusting all signed drivers by default, BYOVD will remain one of the most reliable ways to disable endpoint security.

What Organizations Should Do

If you are responsible for endpoint security in your organization:

• Enable Microsoft's vulnerable driver blocklist and verify it is up to date
• Configure EDR solutions to alert when their own processes are terminated unexpectedly
• Monitor for the NSecKrnl driver (CVE-2025-68947) appearing on any system
• Implement application control policies that restrict which drivers can load
• Ensure your EDR vendor has self protection mechanisms that resist kernel level termination
• Maintain offline backups. If ransomware kills your security software, backups are your last defense

Reynolds is a reminder that security software is not invincible. The tools designed to protect you can be targeted and disabled. Defense in depth, layering multiple security controls so that no single failure is catastrophic, remains the most effective strategy against ransomware that fights back.