What happened
Security researchers have identified a new ransomware strain, Reynolds, that embeds a Bring Your Own Vulnerable Driver (BYOVD) component directly into its payload to disable Endpoint Detection and Response (EDR) security tools by exploiting a known vulnerable driver (NsecSoft NSecKrnl).
Who is affected
Organizations running Windows environments that rely on EDR solutions from vendors such as Avast, CrowdStrike, Palo Alto Networks, Sophos, and Symantec, among others, are at risk, especially if systems allow loading of vulnerable or untrusted drivers.Â
Why CISOs should care
This integrated BYOVD technique represents an evolution in ransomware defense evasion by combining privilege escalation and EDR disablement in one payload, making detection and response more difficult and increasing the likelihood of successful encryption and potential operational disruption.
3 practical actions
- Harden driver policies: Enforce strict driver integrity controls and block the installation of unsigned or known vulnerable drivers via Group Policy or endpoint configuration.
- Monitor kernel-level activity: Implement telemetry and monitoring for unusual driver loads and kernel interactions that could indicate BYOVD exploitation.
- Update and patch: Maintain up‑to‑date EDR, OS patches, and threat intelligence feeds to ensure detection of known exploitation techniques and vulnerable components.