Cybersecurity researchers have uncovered a concerning evolution in ransomware tradecraft that threatens traditional endpoint security tools used across businesses.
According to a new report from The Hacker News, a ransomware family dubbed Reynolds has been observed carrying its own built-in Bring Your Own Vulnerable Driver (BYOVD) component right inside the malware payload itself. This lets attackers neutralize leading EDR (Endpoint Detection and Response) solutions before the ransomware even begins its destructive work.
What the Reynolds Ransomware Does
In typical ransomware attacks, adversaries might use separate tools to disable security defenses before the main payload is delivered. But Reynolds includes a vulnerable kernel-mode driver (specifically the NsecSoft NSecKrnl driver) inside its ransomware binary. Once executed, this driver allows Reynolds to gain elevated privileges and terminate critical processes from widely deployed endpoint tools, including those from vendors like Avast, CrowdStrike Falcon, Palo Alto Networks Cortex XDR, Sophos, and Symantec Endpoint Protection.
The strategy of embedding BYOVD into the ransomware payload itself is a major shift that removes the need for attackers to deliver separate defense-evasion tools or stages. By abusing legitimate but flawed code, Reynolds effectively “blinds” security tools so that encryption and other attack steps can unfold unchecked.
This trend is not isolated to Reynolds. Security researchers have documented multiple ransomware families increasingly integrating BYOVD drivers to bypass EDR protections. Even sophisticated legacy tools used for investigation and defense, when repurposed by adversaries, can become a weakness if they carry unpatched vulnerabilities.
Why BYOVD Is So Dangerous
The BYOVD technique is effective because it leverages trusted software components that are already signed and expected to run on endpoints. This means traditional security products may accept them as safe, despite underlying flaws that let attackers escalate privileges and disable defenses deep within the operating system’s core.
Once these defenses are neutralized at the kernel level, ransomware can move freely without generating alerts, giving attackers time to encrypt data, destroy backups, or steal sensitive information. For many businesses, this can mean catastrophic operational disruption, financial loss, and reputational harm.
The Limits of Detect and Respond
Endpoint Detection and Response solutions have been a cornerstone of enterprise security for years. They monitor activity, raise alerts, and help security teams investigate and react to threats. But that model assumes the defensive tools remain functional and that attackers can be seen or caught before they cause major damage.
With tactics like BYOVD embedded directly into ransomware, attackers can disarm EDR before it ever has a chance to raise alarms. Detection may still happen, but by then the ransomware often has already done its damage. This highlights a stark reality: detect-and-respond alone is no longer sufficient.
Why Isolation and Containment Matters
Modern threats demand a fundamentally different approach—one that focuses on preventing threats from executing and spreading in the first place, instead of just alerting after the fact. This is where proactive isolation and containment technologies come into play.
Isolation-based solutions are designed to stop unknown or malicious activity at the moment of execution, effectively quarantining threats before they can interact with critical resources. This means that even if a threat manages to evade detection or abuse a vulnerable driver, its ability to harm systems is stopped in its tracks.
AppGuard: A Proven Solution for Today’s Threats
For businesses looking to strengthen their endpoint security posture, solutions like AppGuard are increasingly essential. With more than a decade of real‑world success protecting enterprise environments, AppGuard does not rely solely on traditional detection rules or signatures. Instead, it isolates and contains applications, preventing malicious behavior from ever executing, while letting legitimate work proceed uninterrupted.
By focusing on isolation and containment rather than just detection and response, AppGuard provides a robust defensive posture against sophisticated techniques like those used by Reynolds ransomware and other advanced threats.
What Business Owners Should Do Next
If your organization still relies primarily on detect-and-respond endpoint tools, the rise of embedded BYOVD techniques should be a wake‑up call.
Talk with us at CHIPS today about how AppGuard can prevent these kinds of advanced attacks. Learn how shifting from detection alone to proactive isolation and containment can dramatically strengthen your defenses, reduce risk, and give your business the resilience it needs in an increasingly hostile cyber landscape.
Like this article? Please share it with others!
Comments