Date: 02/25/2026
Severity: High
Summary
Reynolds ransomware leverages a Bring Your Own Vulnerable Driver (BYOVD) technique to neutralize endpoint security controls prior to file encryption. It drops a legitimately signed but vulnerable kernel driver, NSecKrnl.sys, and exploits CVE-2025-68947 to gain kernel-level privileges. Operating in kernel mode allows the malware to terminate security processes and disable real-time protections, significantly reducing user-mode detection visibility and enabling encryption to proceed with minimal interference or response time.
Indicators of Compromise (IOC) List
Hash | 6bd8a0291b268d32422139387864f15924e1db05dbef8cc75a6677f8263fa11d
206f27ae820783b7755bca89f83a0fe096dbb510018dd65b63fc80bd20c03261
c3bca7c9e5b0d3d9dadcae78ca79ee687c8f93d3e59500e86f03685d9ee4db70
5213706ae67a7bf9fa2c0ea5800a4c358b0eaf3fe8481be13422d57a0f192379
e09686fde44ae5a804d9546105ebf5d2832917df25d6888aefa36a1769fe4eb4
bf6686858109d695ccdabce78c873d07fa740f025c45241b0122cecbdd76b54e
230b84398e873938bbcc7e4a1a358bde4345385d58eb45c1726cee22028026e9
|
Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection
Detection Query 1 : | sha256hash IN ("c3bca7c9e5b0d3d9dadcae78ca79ee687c8f93d3e59500e86f03685d9ee4db70","206f27ae820783b7755bca89f83a0fe096dbb510018dd65b63fc80bd20c03261","bf6686858109d695ccdabce78c873d07fa740f025c45241b0122cecbdd76b54e","6bd8a0291b268d32422139387864f15924e1db05dbef8cc75a6677f8263fa11d","230b84398e873938bbcc7e4a1a358bde4345385d58eb45c1726cee22028026e9","5213706ae67a7bf9fa2c0ea5800a4c358b0eaf3fe8481be13422d57a0f192379","e09686fde44ae5a804d9546105ebf5d2832917df25d6888aefa36a1769fe4eb4")
|
Reference:
https://gurucul.com/blog/reynolds-ransomware-byovd-abuse-of-nseckrnl-sys-cve-2025-68947-for-kernel-level-defense-evasion/#introduction
https://www.security.com/threat-intelligence/black-basta-ransomware-byovd