{
	"id": "e7394ebd-4b86-4a7f-a3ec-b39378fdf0ef",
	"created_at": "2026-04-06T00:13:55.568885Z",
	"updated_at": "2026-04-10T03:20:03.145916Z",
	"deleted_at": null,
	"sha1_hash": "569e10e9a10768b606d78031841925d47690fe79",
	"title": "Reynolds: Defense Evasion Capability Embedded in Ransomware Payload",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 61228,
	"plain_text": "Reynolds: Defense Evasion Capability Embedded in Ransomware\r\nPayload\r\nBy About the Author\r\nArchived: 2026-04-05 18:58:01 UTC\r\nUpdate, February 9 2026: An earlier version of this blog stated that the ransomware payload used was Black\r\nBasta. This attribution was based on similarities in TTPs. After further analysis, we've concluded the payload\r\nused was Reynolds, an emergent ransomware family.\r\nA recent Reynolds ransomware campaign was notable because the ransomware contained a bring-your-own-vulnerable-driver (BYOVD) defense evasion component embedded within the ransomware payload itself.\r\nNormally the BYOVD defense evasion component of an attack would involve a distinct tool that would be\r\ndeployed on the system prior to the ransomware payload in order to disable security software. However, in this\r\nattack, the vulnerable driver (an NsecSoft NSecKrnl driver) was bundled with the ransomware itself. \r\nBYOVD is by far the most frequently used technique for defense impairment these days. Generally, attackers will\r\ndeploy a signed vulnerable driver to the target network, which they then exploit to elevate privileges and disable\r\nsecurity software. Since the vulnerable drivers operate with kernel-mode access, they can be used to terminate\r\nprocesses, making them an effective tool for disrupting security measures. In most cases, the vulnerable driver is\r\ndeployed along with a malicious executable, which will use the driver to issue commands.\r\nWhile bundling a defense evasion component within the ransomware itself isn’t entirely novel, it is quite unusual\r\nand not what we typically see ransomware actors doing today. It was previously seen in a Ryuk ransomware attack\r\nin 2020, as well as an attack in which a little-known ransomware called Obscura was deployed in 2025. \r\nRecent activity\r\nThe ransomware payload drops a vulnerable NsecSoft NSecKrnl driver and tries to create an NSecKrnl service.\r\nThis driver is then exploited to attempt to kill processes. It targets the following processes: \r\n\"Sophos UI.exe\"\r\n\"SEDService.exe\"\r\n\"SophosHealth.exe\"\r\n\"SophosFS.exe\"\r\n\"SSPService.exe\"\r\n\"SophosFileScanner.exe\"\r\nhttps://www.security.com/threat-intelligence/black-basta-ransomware-byovd\r\nPage 1 of 5\n\n\"McsAgent.exe\"\r\n\"McsClient.exe\"\r\n\"SophosLiveQueryService.exe\"\r\n\"SophosNetFilter.exe\"\r\n\"SophosNtpService.exe\"\r\n\"hmpalert.exe\"\r\n\"Sophos.Encryption.BitLockerService.exe\"\r\n\"SophosOsquery.exe\"\r\n\"ccSvcHst.exe\"\r\n\"SymCorpUI.exe\"\r\n\"SISIPSService.exe\"\r\n\"SISIDSService.exe\"\r\n\"SmcGui.exe\"\r\n\"sisipsutil.exe\"\r\n\"sepWscSvc64.exe\"\r\n\"MsMpEng.exe\"\r\n\"CSFalconService.exe\"\r\n\"cydump.exe\"\r\n\"cyreport.exe\"\r\n\"cyrestart.exe\"\r\n\"cyrprtui.exe\"\r\n\"cyserver.exe\"\r\n\"cytool.exe\"\r\n\"cytray.exe\"\r\n\"cyuserserver.exe\"\r\n\"CyveraConsole.exe\"\r\nhttps://www.security.com/threat-intelligence/black-basta-ransomware-byovd\r\nPage 2 of 5\n\n\"tlaworker.exe\"\r\n\"ekrn.exe\"\r\n\"eguiProxy.exe\\t\"\r\n\"egui.exe\"\r\n\"aswEngSrv.exe\"\r\n\"aswidsagent.exe\"\r\n\"AvastUI.exe\"\r\n\"ccSvcHst.exe\" \r\nThe ransomware payload appends the “.locked” extension to files it encrypts. \r\nThe NSecKrnl driver is a Windows kernel-mode driver with a known critical security vulnerability (CVE-2025-\r\n68947), which means that it fails to verify if a user has sufficient permissions before executing commands. This\r\nallows a local, authenticated attacker to terminate processes owned by other users, including SYSTEM and\r\nProtected Processes, by issuing crafted Input/Output Control (IOCTL) requests to the driver. \r\nAlso of note in this attack campaign was the presence of a suspicious side-loaded loader on the target’s network\r\nseveral weeks prior to the ransomware being deployed. It is not certain if this was linked to the subsequent\r\nransomware activity, but if it was it points to a long dwell time for the attackers.   \r\nThe GotoHTTP remote access tool was also found on some machines on the target network the day after the\r\nransomware was deployed. It is relatively unusual to see attacker activity on the victim network post ransomware\r\ndeployment. This could be unrelated to the ransomware activity, but it could also point to an attempt by the\r\nattackers to maintain persistent access to the network, even after the ransomware was deployed. \r\nDefense evasion: A key step in ransomware attacks\r\nThe impairment of defenses, usually by attempting to disable antivirus (AV) or endpoint detection and response\r\n(EDR) products, is a key part of ransomware attacks in 2026. Ransomware actors have added this step to their\r\nplaybooks in a bid to evade detection prior to the deployment of a file-encrypting payload.\r\nThe use of impairment techniques and tools has risen markedly among ransomware actors over the past two years,\r\nmost likely in response to vendors improving their ability to identify patterns of malicious activity that occur prior\r\nto ransomware deployment.\r\nBy far the most frequently used technique for defense impairment is the BYOVD technique. Attackers will\r\ngenerally deploy a signed vulnerable driver to the target network, which they then exploit to elevate privileges and\r\ndisable security software. These drivers are considered “vulnerable” as it should not be possible to leverage them\r\nin this way. A correctly written driver will contain safeguards to ensure they only respond to legitimate requests\r\nhttps://www.security.com/threat-intelligence/black-basta-ransomware-byovd\r\nPage 3 of 5\n\nfrom authorized software. However, when these drivers fall into the wrong hands, they effectively become tools\r\nfor privilege escalation.\r\nBYOVD is popular with attackers due to its effectiveness and reliance on legitimate, signed files, which are less\r\nlikely to raise red flags. A wide range of drivers have been used in such attacks, with anti-rootkit drivers\r\ndeveloped by security vendors being among the most commonly exploited. Popular BYOVD tools frequently used\r\nby attackers include:\r\nTrueSightKiller: A publicly available tool that leverages a vulnerable driver named truesight.sys. \r\nGmer: A rootkit scanner that can be used to kill processes.\r\nWarp AVKiller: A variant of a Go-based information-stealing threat called Warp Stealer, which appears to\r\nbe just used to bypass security products. It uses a vulnerable Avira anti-rootkit driver to disable security\r\nproducts.\r\nGhostDriver: A publicly available tool that leverages vulnerable drivers to kill processes.\r\nPoortry (aka BurntCigar): A malicious driver documented by Sophos that is frequently employed\r\nalongside a loader known as Stonestop. Unlike many drivers, Poortry may have been developed by\r\nattackers who then succeeded in getting it signed.\r\nAuKill: A tool documented by Sophos that uses an outdated version of the driver used by the Microsoft\r\nutility Process Explorer to disable EDR processes\r\nAttackers do also leverage living-off-the-land techniques, using common Windows utilities, to disable security\r\nsoftware, particularly Windows Defender. However, there is no doubt that BYOVD is the most common defense\r\nevasion tool we see used by ransomware actors today. \r\nWill this tactic be adopted by more ransomware actors?\r\nThe question raised by this recent activity is whether we are likely to see this tactic be adopted by more\r\nransomware actors and what advantages it might bring for them. \r\nThe advantages of wrapping the defense evasion capability in with the ransomware payload, and the reason\r\nransomware actors might do this, may include the fact that packaging the defense evasion binary and the\r\nransomware payload together is “quieter”, with no separate external file dropped on the victim network. It also\r\nmay speed up the attack - if there is no gap between the defense evasion tool being deployed and the ransomware\r\nbeing dropped, there is no opportunity for defenders to stop the attack. In other scenarios, if defenders saw a\r\nsuspicious driver being dropped on a system, they may have time to stop the attack before the ransomware is\r\ndeployed.\r\nEmbedding more capabilities into the ransomware payload itself may also help act as a unique selling point for\r\nransomware developers who are attempting to attract affiliates. Having additional capabilities bundled with the\r\nransomware payload may make ransomware attacks easier to carry out, as they would require less steps,\r\npotentially making such a payload more attractive to affiliates. \r\nIt will be interesting to see if more ransomware families begin embedding additional capabilities, such as defense\r\nevasion and others, in their ransomware payloads in the future. \r\nhttps://www.security.com/threat-intelligence/black-basta-ransomware-byovd\r\nPage 4 of 5\n\nProtection/Mitigation\r\nFor the latest protection updates, please visit the Symantec Protection Bulletin.\r\nIndicators of Compromise\r\nIf an IOC is malicious and the file available to us, Symantec Endpoint products will detect and block that file.\r\n5213706ae67a7bf9fa2c0ea5800a4c358b0eaf3fe8481be13422d57a0f192379 – Suspicious file\r\ne09686fde44ae5a804d9546105ebf5d2832917df25d6888aefa36a1769fe4eb4 – Webshell – xxxxx.aspx \r\nbf6686858109d695ccdabce78c873d07fa740f025c45241b0122cecbdd76b54e – Loader – vspmsg.dll \r\n6bd8a0291b268d32422139387864f15924e1db05dbef8cc75a6677f8263fa11d – Reynolds ransomware –\r\nwxt4e.exe, wxt4e.txt \r\n206f27ae820783b7755bca89f83a0fe096dbb510018dd65b63fc80bd20c03261 – Vulnerable NsecSoft\r\nNSecKrnl Driver – 402.sys \r\n230b84398e873938bbcc7e4a1a358bde4345385d58eb45c1726cee22028026e9 - GotoHTTP - gotohttp.exe\r\nSource: https://www.security.com/threat-intelligence/black-basta-ransomware-byovd\r\nhttps://www.security.com/threat-intelligence/black-basta-ransomware-byovd\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.security.com/threat-intelligence/black-basta-ransomware-byovd"
	],
	"report_names": [
		"black-basta-ransomware-byovd"
	],
	"threat_actors": [],
	"ts_created_at": 1775434435,
	"ts_updated_at": 1775791203,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/569e10e9a10768b606d78031841925d47690fe79.pdf",
		"text": "https://archive.orkl.eu/569e10e9a10768b606d78031841925d47690fe79.txt",
		"img": "https://archive.orkl.eu/569e10e9a10768b606d78031841925d47690fe79.jpg"
	}
}