嗯,用户让我帮忙总结一篇文章,控制在100字以内,而且不需要用“文章内容总结”之类的开头。首先,我需要仔细阅读文章,理解主要内容。 文章讲的是Reynolds勒索软件使用BYOVD技术,在加密前禁用安全工具。BYOVD是带入易受攻击的驱动程序,利用已知漏洞来绕过安全控制。Reynolds捆绑了NsecKrnl驱动,利用CVE-2025-68947漏洞终止安全进程,加密文件并添加.locked扩展名。 接下来,我需要提炼关键点:Reynolds勒索软件、BYOVD技术、禁用安全工具、加密文件、.locked扩展名。这些信息需要简洁地表达出来。 然后,确保字数在100字以内,同时保持语句通顺。可能的结构是先介绍勒索软件和其技术,再说明具体操作和结果。 最后,检查是否有遗漏的重要信息,并确保总结准确传达文章的核心内容。 </think> Reynolds ransomware uses the BYOVD technique to embed a vulnerable driver (NsecKrnl) and exploit it to disable security tools, escalate privileges, and kill processes before encrypting files. This method allows it to bypass detection and evade defenses effectively. 2026-2-11 15:0:47 Author: securityaffairs.com(查看原文) 阅读量:0 收藏
Reynolds ransomware uses BYOVD to disable security before encryption
Pierluigi Paganini
February 11, 2026
Researchers discovered Reynolds ransomware, which uses BYOVD technique to disable security tools and evade detection before encryption.
Researchers found a new ransomware, named Reynolds, that implements the Bring Your Own Vulnerable Driver (BYOVD) technique to disable security tools and evade detection before encrypting systems.
Broadcom’s cybersecurity researchers initially attributed the attack to Black Basta due to similar tactics, but further analysis confirmed the payload was Reynolds, a new ransomware family. The campaign stands out because it embeds a bring-your-own-vulnerable-driver (BYOVD) component directly inside the ransomware. Instead of deploying a separate tool to disable security software, Reynolds bundles the vulnerable NsecSoft driver within its payload to evade detection.
Bring Your Own Vulnerable Driver (BYOVD) is an attack technique where threat actors use a legitimate but flawed driver to bypass security controls.
Instead of exploiting a new vulnerability, attackers install a signed, trusted driver that contains known security flaws. Because the driver is legitimately signed, Windows allows it to load. Once running, attackers exploit the driver’s weakness to:
- Bypass kernel-level protections
- Escalate privileges (gain SYSTEM-level access)
- Disable or tamper with EDR/antivirus tools
- Kill security processes
The Reynolds ransomware drops the vulnerable NsecKrnl driver and creates a service to run it. It then abuses the driver flaw (CVE-2025-68947) to kill security processes associated with major defense solutions, including Sophos, Symantec, Microsoft Defender, CrowdStrike, ESET, and Avast tools.
“The ransomware payload drops a vulnerable NsecSoft NSecKrnl driver and tries to create an NSecKrnl service. This driver is then exploited to kill processes.” reads the report published by Broadcom. “The NSecKrnl driver is a Windows kernel-mode driver with a known critical security vulnerability (CVE-2025-68947), which means that it fails to verify if a user has sufficient permissions before executing commands. This allows a local, authenticated attacker to terminate processes owned by other users, including SYSTEM and Protected Processes, by issuing crafted Input/Output Control (IOCTL) requests to the driver. “
The malware encrypts files and adds the “.locked” extension. Investigators also found a suspicious side-loaded loader weeks earlier and the GotoHTTP remote access tool after the attack, suggesting the attackers may have kept access before and even after deploying the ransomware.
In 2026, ransomware groups routinely disable antivirus and EDR tools before launching encryption. They added this step as security vendors improved early detection. The most common method is BYOVD, where attackers load a signed but vulnerable driver, exploit it to gain higher privileges, and shut down security software. Because the driver is legitimate and signed, it often avoids alerts. Popular tools include TrueSightKiller, GhostDriver, AuKill, Poortry, Gmer, and Warp AVKiller. Attackers sometimes use built-in Windows tools, but BYOVD remains their top defense-evasion tactic.
This campaign raises concerns that more ransomware groups may embed defense-evasion tools directly inside their payloads. Combining both components makes attacks quieter and faster, since attackers no longer need to drop a separate driver that defenders could detect and block. This approach reduces steps and limits response time. It may also attract affiliates, as bundled capabilities make ransomware easier to deploy and more competitive in the criminal market.
“Embedding more capabilities into the ransomware payload itself may also help act as a unique selling point for ransomware developers who are attempting to attract affiliates.” concludes the report that includes Indicators of Compromise (IoCs). “Having additional capabilities bundled with the ransomware payload may make ransomware attacks easier to carry out, as they would require less steps, potentially making such a payload more attractive to affiliates. “
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, Reynolds ransomware)
如有侵权请联系:admin#unsafe.sh