Reynolds Ransomware: BYOVD Evasion & NSecKrnl Abuse

Reynolds is a February 2026 ransomware group observed using BYOVD (abusing a vulnerable NSecKrnl driver, tracked to CVE-2025-68947) to terminate security products prior to encrypting files (noted use of a ".locked" extension). The report provides one confirmed victim (business services), detailed IOCs (sample hashes, driver/service ImagePath pointing to C:\ProgramData\402.sys, ransom note path), YARA detection rules, observed tooling (GotoHTTP, qTox/onion communication), and IR recommendations focused on containment, driver block controls, hunting for suspicious driver installs, and validating backups.