REYNTSCOPE ransomware recently became a heavy hitting player in the cybersecurity landscape. It has a built-in bring your own vulnerable driver (BYOVD) component, allowing it to slip past many security mitigations. The NsecSoft NSecKrnl driver, imprinted in the ransomware, is known to contain a dangerous security vulnerability, classified as CVE-2025-68947. This vulnerability has a CVSS score of 5.7. Attackers would be able to use it to kill any process they want, effectively shutting down major security protections.
The LockBit 5.0 ransomware variant continues to grow in popularity as it adopts a new strategy. To protect sensitive files on Windows, Linux, and ESXi operating systems, it uses ChaCha20 encryption. Ransomware attacks have skyrocketed in frequency and severity, as have ransom payments themselves. By the fourth quarter of 2025, the average ransom had skyrocketed to $591,988, a shocking 57% jump compared to the previous quarter.
The Mechanics of Reynolds Ransomware
Reynolds ransomware’s most notable characteristic is its victim shaming. It installs the vulnerable NsecSoft NSecKrnl driver right next to its ransomware payload. This integration allows it to avoid detection by blending in much better than regular methods. In those approaches, a different framework typically unloads security tools prior to executing the actual attack.
“Normally, the BYOVD defense evasion component of an attack would involve a distinct tool that would be deployed on the system prior to the ransomware payload in order to disable security software,” – Symantec and Carbon Black Threat Hunter Team.
Here, the driver is included with the ransomware. This strategy can make their attacking process more efficient. It further decreases the likelihood that security technologies will flag the malicious elements prior to execution.
McGuire reported the suspicious side-loaded loader operating on affected networks. This dark harbinger took shape weeks before the real ransomware was deployed. This pre-emptive measure indicates a considerable degree of planning and sophistication in the way Reynolds ransomware functions.
“Also of note in this attack campaign was the presence of a suspicious side-loaded loader on the target’s network several weeks prior to the ransomware being deployed,” – Symantec and Carbon Black.
Rising Threat Landscape and Ransom Trends
The general environment of these types of ransomware attacks has changed dramatically. In just the year of 2025, attackers using ransomware reported 4,737 attacks—an increase from 4,701 in 2024. Importantly, non-encryption attacks — where data is stolen without being encrypted — have skyrocketed to 6,182 breaches, making up for a 23% spike.
The LockBit 5.0 variant also deserves mention for features that improve ease of use and overall operational efficiency. It includes a wiper component, an option to delay execution before file encryption begins, and a progress bar that tracks encryption status. These features have made it one of the top performers and most attractive tools for cybercriminals.
“The advantages of wrapping the defense evasion capability in with the ransomware payload, and the reason ransomware actors might do this, may include the fact that packaging the defense evasion binary and the ransomware payload together is ‘quieter’, with no separate external file dropped on the victim network,” – Symantec and Carbon Black.
This new trend is indicative of ransomware attacks growing more advanced and multi-layered in nature. 2023 attackers are always changing their tactics to stay one step ahead of changing security technologies.
The Role of Vulnerable Drivers in Cyber Attacks
Reynolds on the exploitation of vulnerable drivers in ransomware attacks. Other groups have adopted similar strategies. Just last month the Interlock ransomware group used a zero-day exploit in the “GameDriverx64.sys” gaming anti-cheat driver. This particular vulnerability, CVE-2025-61155, has a CVSS score of 5.5. We used this driver to more dramatically turn off security tools.
Additionally, the Silver Fox ransomware group has used a vulnerable driver called truesight.sys in their BYOVD activities. This now repeated, disturbing trend illustrates a dangerous theme as adversaries increasingly leverage legitimate software components to further their harmful goals.
Cybercriminals are taking up BYOVD methods because they’re super effective at what they do. These techniques all leverage valid signed files, making them less detectible by security solutions. As such deceptive tactics gain more traction and acceptance, organizations will need to fortify their defenses from these increasingly sophisticated threats.
“BYOVD is popular with attackers due to its effectiveness and reliance on legitimate, signed files, which are less likely to raise red flags,” – cybersecurity experts.