Reynolds: Defense Evasion Capability Embedded in Ransomware Payload
Summary:
In February 2026, the Symantec and Carbon Black Threat Hunter Team identified a sophisticated ransomware campaign initially misattributed to the Black Basta operation due to shared TTPs. An update on February 9, 2026, confirmed the payload belongs to Reynolds, an emergent ransomware family. A defining characteristic of this campaign is the embedding of a "Bring Your Own Vulnerable Driver" (BYOVD) component directly within the ransomware executable (wxt4e.exe), rather than deploying it as a separate tool. This integration allows the Reynolds ransomware to execute a "quieter" and faster attack chain, immediately dropping a vulnerable NsecSoft NSecKrnl driver to terminate critical security processes before encrypting files with the .locked extension. While this technique was previously observed in Ryuk (2020) and Obscura (2025) attacks, its adoption by Reynolds marks a notable evolution in ransomware tradecraft designed to reduce the defender's window of opportunity.
Security Officer Comments:
The campaign is attributed to Reynolds, a newly identified ransomware family.
A full list of IOCs is available in the Symantec blog post.
https://www.security.com/threat-intelligence/black-basta-ransomware-byovd
https://x.com/H4ckmanac/status/2021167240930808197
In February 2026, the Symantec and Carbon Black Threat Hunter Team identified a sophisticated ransomware campaign initially misattributed to the Black Basta operation due to shared TTPs. An update on February 9, 2026, confirmed the payload belongs to Reynolds, an emergent ransomware family. A defining characteristic of this campaign is the embedding of a "Bring Your Own Vulnerable Driver" (BYOVD) component directly within the ransomware executable (wxt4e.exe), rather than deploying it as a separate tool. This integration allows the Reynolds ransomware to execute a "quieter" and faster attack chain, immediately dropping a vulnerable NsecSoft NSecKrnl driver to terminate critical security processes before encrypting files with the .locked extension. While this technique was previously observed in Ryuk (2020) and Obscura (2025) attacks, its adoption by Reynolds marks a notable evolution in ransomware tradecraft designed to reduce the defender's window of opportunity.
Security Officer Comments:
The campaign is attributed to Reynolds, a newly identified ransomware family.
- Correction from Symantec: Early analysis linked the activity to the Cardinal cybercriminal group (Black Basta payload) because some of their TTPs were nearly identical.
- Motive & Trends: The shift toward embedding evasion tools directly into the payload likely signals a strategy to attract affiliates by offering a unique selling point, a simplified, all-in-one attack tool that requires fewer manual steps and drops fewer external files, making the attack stealthier and easier to execute. This strategy was observed over 5 years ago in a Ryuk ransomware attack in 2020 and an Obscura ransomware attack conducted in 2025.
- Technical Threat Vector & Attack Chain: The attack chain is characterized by significant dwell time followed by a rapid, self-contained execution phase.
- Pre-Infection: A suspicious loader identified as vspmsg.dll was side-loaded on victim networks several weeks prior to the ransomware event, suggesting a long dwell time or a separate initial access phase. A webshell (xxxxx.aspx) was also identified as a potential persistence mechanism.
- Execution (Embedded BYOVD):
- Upon execution, the Reynolds payload (wxt4e.exe) drops the vulnerable NsecSoft NSecKrnl driver (402.sys) and creates a service to load it.
- It exploits CVE-2025-68947, a critical vulnerability in the driver that fails to verify user permissions, allowing a local authenticated attacker to issue IOCTL requests to terminate processes.
- Targeted Security Processes:The malware targets a comprehensive list of AV and EDR products. Observed targets include:
- Sophos: Sophos UI.exe, SEDService.exe, SophosHealth.exe, hmpalert.exe.
- CrowdStrike: CSFalconService.exe.
- Symantec/Broadcom: ccSvcHst.exe, SymCorpUI.exe, sepWscSvc64.exe.
- Microsoft: MsMpEng.exe (Windows Defender).
- ESET: ekrn.exe, egui.exe.
- Avast: AvastUI.exe, aswEngSrv.exe.
- Cylance: cydump.exe, cyserver.exe, cytool.exe.
- Post-Exploitation Persistence: The day after encryption, the remote access tool GotoHTTP (gotohttp.exe) was detected on the network. This is unusual for post-ransomware activity and suggests an attempt to maintain long-term access.
- Malicious Infrastructure & Tooling: The campaign leverages "living-off-the-land" tactics by weaponizing legitimate, signed drivers. This specific campaign utilized the NsecSoft driver, but other common BYOVD tools mentioned in the broader landscape include TrueSightKiller (truesight.sys), Gmer, Warp AVKiller (using Avira drivers), GhostDriver, Poortry (BurntCigar), and AuKill.
A full list of IOCs is available in the Symantec blog post.
- Block the specific NsecSoft NSecKrnl driver identified in this campaign:
- Hash: 206f27ae820783b7755bca89f83a0fe096dbb510018dd65b63fc80bd20c03261
- Implement the Microsoft Vulnerable Driver Blocklist to prevent the loading of known exploited drivers.
- Scan for and remediate the identified webshell: e09686fde44ae5a804d9546105ebf5d2832917df25d6888aefa36a1769fe4eb4 (xxxxx.aspx).
- Block the execution of GotoHTTP: 230b84398e873938bbcc7e4a1a358bde4345385d58eb45c1726cee22028026e9.
- Enable Hypervisor-Protected Code Integrity (HVCI) to prevent the loading of unsigned or blacklisted kernel drivers.
- Monitor for the creation of new services with names similar to NSecKrnl or associated with temporary driver loading.
https://www.security.com/threat-intelligence/black-basta-ransomware-byovd
https://x.com/H4ckmanac/status/2021167240930808197