Skip to content
Ransomware group

Reynolds

Reynolds is an emerging ransomware family.

Profile source: Mallory opens in a new tab

Reynolds

Family profile

Reynolds is an emerging ransomware family. Reported behavior shows it encrypts victim files using AES and RSA, appends the ".locked" extension, and drops a ransom note named "___RestoreYourFiles___.txt" (also referenced in reporting as "RestoreYourFiles.txt"). The ransom note instructs victims to contact the operators via qTox and a Tor onion address, gives three days to initiate negotiations, and threatens renewed attacks and data leakage if contact is not made.

A defining characteristic of Reynolds is its built-in Bring Your Own Vulnerable Driver (BYOVD) capability for defense evasion. Researchers reported that the ransomware embeds and drops the signed but vulnerable NsecSoft NSecKrnl kernel driver (NSecKrnl.sys / NsecSoft driver), creates a service to load it, and exploits CVE-2025-68947 to terminate security processes. Reported targets for process termination include products from Microsoft Defender, CrowdStrike, Sophos, Symantec, ESET, Avast, and Palo Alto Networks Cortex XDR, among others. Multiple reports emphasize that this BYOVD component is integrated directly into the ransomware payload rather than deployed as a separate killer tool.

Observed intrusion activity suggests a multi-stage operation. Researchers noted a suspicious side-loaded loader present weeks before ransomware deployment and the GotoHTTP remote access tool found after encryption, indicating the operators may maintain access before and after the ransomware stage. Broadcom researchers initially linked the activity to Black Basta because of similar tradecraft, but later identified Reynolds as a distinct ransomware family. Some public reporting also links the tradecraft to the Silver Fox cluster based on shared use of the NSecKrnl driver, although the content does not establish definitive attribution.

Reported targeting includes organizations with mature security postures across enterprise, government, and critical infrastructure, with incidents noted in the United States and the United Kingdom. Separate reporting states the ransomware appears oriented toward English-speaking users but may spread globally. Mentioned possible delivery vectors include exposed RDP, phishing emails and malicious attachments, exploit-based delivery, deceptive downloads, botnets, malvertising, fake updates, and trojanized installers.

High-confidence indicators and identifiers mentioned in the content include the ".locked" file extension, the ransom note "___RestoreYourFiles___.txt" / "RestoreYourFiles.txt", use of the NSecKrnl vulnerable driver, and a referenced sample with MD5 f0bdb2add62b0196a50e25e45e370cc5, SHA-1 6dae1c4879d951af60f26c56b8701a2c1a8cd550, and SHA-256 6bd8a0291b268d32422139387864f15924e1db05dbef8cc75a6677f8263fa11d. Antivirus detections cited in the reporting include Trojan.Encoder.44391, Gen:Heur.Ransom.Imps.1, Win64/Filecoder.Slug.A Trojan, Trojan-Ransom.Win32.Gen.cfmt, Trojan:Win32/Etset!rfn, Ransom.LockFile!8.12D75, Win32.Trojan-Ransom.Gen.Ckjl, and Ransom.Win64.REYNOLDS.THBAABF.

Ransomware.live

Operational record

View group record ↗

Reported operators

Threat actors

2 named in public reporting
Black Basta

Researchers found a new ransomware, named Reynolds, that implements the Bring Your Own Vulnerable Driver (BYOVD) technique to disable security tools and evade detection before encrypting systems.

Silver Fox

The emergence of the Reynolds ransomware family marks a significant escalation in adversarial tradecraft, leveraging the Bring Your Own Vulnerable Driver (BYOVD) technique to systematically neutralize Endpoint Detection and Response (EDR) security tools.

Exploited software

Vulnerabilities linked to Reynolds

1 CVEs

MITRE ATT&CK

Reynolds in ATT&CK

4 distinct techniques

Reporting

Research mentioning Reynolds

Apr 8
Id Ransomware

Шифровальщики-вымогатели The Digest "Crypto-Ransomware": Reynolds

Reynolds Ransomware ... Этот крипто-вымогатель шифрует данные пользователей с помощью комбинации алгоритмов AES+RSA, а затем требует выкуп, чтобы вернуть файлы. Используется техника BYOVD (Bring Your Own Verificant Driver) для обхода средств защиты.

Feb 15
Security Affairs

Security Affairs newsletter Round 563 by Pierluigi Paganini - INTERNATIONAL EDITION

Reynolds ransomware uses BYOVD to disable security before encryption

Feb 13
Cloudatg Insights

AI Development & Software Engineering | CloudATG

...an emergent ransomware family dubbed Reynolds that comes embedded with a built-in bring your own vulnerable driver (BYOVD) component...

Feb 12
Bank Info Security

Breach Roundup: CISA Flags OT Risks After Polish Grid Hack

"A ransomware strain initially linked to Black Basta has been identified as a separate and emerging family known as Reynolds, incorporating defense-evasion capabilities directly into its payload."

Feb 11
Security Affairs

Reynolds ransomware uses BYOVD to disable security before encryption

Researchers found a new ransomware, named Reynolds, that implements the Bring Your Own Vulnerable Driver (BYOVD) technique to disable security tools and evade detection before encrypting systems.

Feb 11
Risky Biz Rss

Chinese cyber-spies breached all of Singapore's telcos

There's a new ransomware strain in town named Reynolds.

Feb 11
Rescana

Reynolds Ransomware Exploits CVE-2025-68947 in NsecSoft NSecKrnl Driver to Disable Windows EDR Security Tools

The emergence of the Reynolds ransomware family marks a significant escalation in adversarial tradecraft, leveraging the Bring Your Own Vulnerable Driver (BYOVD) technique to systematically neutralize Endpoint Detection and Response (EDR) security tools.

Feb 10
The Hacker News

Reynolds Ransomware Embeds BYOVD Driver to Disable EDR Security Tools

Cybersecurity researchers have disclosed details of an emergent ransomware family dubbed Reynolds that comes embedded with a built-in bring your own vulnerable driver (BYOVD) component for defense evasion purposes within the ransomware payload itself.

We appreciate you

Derp wouldn't exist without the work these projects do for the security community. We rely on their data sources to improve the quality and depth of what we publish. Thank you, we're genuinely grateful.