Reynolds Ransomware: BYOVD Evasion & NSecKrnl Abuse

Why this matters?

A new ransomware group tracked as “Reynolds” emerged in February 2026 and is reported to use Bring Your Own Vulnerable Driver (BYOVD) technique to disable security controls before encryption, thereby significantly increasing its chances of success even in well-equipped environments.

What to expect if this hits you?

• Security tooling disruption (EDR/AV termination) prior to encryption via a vulnerable Kernel driver.
• Encryption + pressure tactics (leak-site negotiation), with a clear victim communication path via Tox/onion
• Operational impact: reduced visibility at the worst possible time (pre-encryption window).

What we know about Reynolds?

Observed targeting:

• There is currently one known victim of the Reynolds Ransomware Group.
  • Victim: falconmgt.com
  • Victim’s Sector: Business Services
  • Discovered on 2026-02-11
  • Estimated attack date of 2025-11-13
• The Reynolds Ransomware Group publishes its victims via a Tor onion address.

Known highlighted tactics:

• BYOVD (Build Your Own Vulnerable Driver) uses the NSecKrnl driver to terminate security products/evade detection.
• Our findings attribute this to CVE-2025-68947 in the NSecKrnl driver.
• Encrypted files with the “.locked” extension have been observed.
• Observed techniques include the use of the GotoHTTP remote access tool.

Technical Summary

Execution Chain:

• Privilege & driver load:  activity consistent with enabling/loading a Kernel driver (requires SeLoadDriverPrivilege).
• Driver-based tampering (BYOVD): vulnerable driver used to terminate/neutralize security processes.
•  Encryption + artifacts: files renamed with an added extension and ransom note dropped.
• Victim communications: ransom note points to a Tor onion site and a Tox ID.

IR Priorities (what to do first?)

• Containment: isolate affected hosts quickly (driver-based EDR tampering may reduce telemetry).
• Driver abuse hunting: look for new/unknown driver installs, service creation and suspicious “ImagePath” pointing into user-writable locations:
• Validate backups & recovery: expect “fast-impact” behavior once security is degraded.

What CISOs should ask their teams?

• Are we enforcing driver block controls (e.g., WDAC / vulnerable driver block lists / HVCI where feasible) ?
• Are we receiving alerts regarding service creation for drivers and registry changes under SYSTEM\ControlSet\Services\* ?
• If EDER fails, do we have “emergency” visibility (off-band logging, network telemetry, immutable backups) ?

Technical Indicators (Hashes/IOCs/Detection References)

Sample Hashes

Primary Sample:

MD5	f7d7377b17fc4cdcbb783cc090d6e983
SHA1	03fe81be332f81a0fc590961109e7e2e8c9ad4fa
SHA256	5100e19d229de04b5028cc0c00bfa9f5904b0a5f0e1ae49828580d0973548ac5

Dropped Ransom Note:

File Path Observed	C:\Recovery\WindowsRE\___RestoreYourFiles___.txt
MD5	d04b68674d2cebb154a0fca7013260a1
SHA256	f7a4cfdd1c855a9f399661cfae39ca0c9cf23ae66a97e14a2063f61a2c3a0806

File / Registry IOCs

Driver-related

• Driver file path observed in registry: \??\C:\ProgramData\402.sys
• Service key: \REGISTRY\MACHINE\SYSTEM\CONTROLSET001\SERVICES\NSecKrnl\ImagePath → \??\C:\ProgramData\402.sys

Ransom note filename:

• ___RestoreYourFiles___.txt

Processes

C:\Users\Admin\AppData\Local\Temp\6bd8a0291b268d32422139387864f15924e1db05dbef8cc75a6677f8263fa11d.exe                             PID:3348

“C:\Users\Admin\AppData\Local\Temp\6bd8a0291b268d32422139387864f15924e1db05dbef8cc75a6677f8263fa11d.exe”

Sets service image path in registry

Drops startup file

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: LoadsDriver

Suspicious use of AdjustPrivilegeToken

————

C:\Windows\system32\svchost.exe                   PID:3612

C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe                             PID:2592

“C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe” -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

———-

Downloads

C:\Recovery\WindowsRE\___RestoreYourFiles___.txt

Filesize	812B
MD5	554da156863a1e3eb6c4d511e6bb8844
SHA1	1f25bc43a002700b2183b7cf06d3ea8f4f710193
SHA256	c3bca7c9e5b0d3d9dadcae78ca79ee687c8f93d3e59500e86f03685d9ee4db70
SHA512	952011d94feb09d3ae5c7bd876acc50f93d23090c4e6a2c982872a5e95c7d83

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\TempState\StartUnifiedTileModelCache.dat

Filesize	15KB
MD5	ca9815189bc1630cd67d7d825bb4011c
SHA1	53f46cd7c4f0520b0a816406a5e1bd8208e08501
SHA256	fe841fe36933b3fc54c75a7ee1065af796a927f97e30c5c343203432cd4bf953
SHA512	76616328285fc1c26d4a744dcbf9b3b020792442112d7cebfe7560ca59cc517dc91d2ff5fda8bed70207f94b7eb4bd319ce72f7dba05f77394a6e3dd2295c3d7

Ransom Note

Yara Rule

/*

  Brandefense

  Reynolds (Feb 2026) - Ransom note + ransomware/BYOVD

*/

import "pe"

rule RANSOM_Reynolds_RansomNote___RestoreYourFiles___Feb2026

{

  meta:

    author = "Brandefense"

    description = "Detects Reynolds ransom note (___RestoreYourFiles___.txt) with qTox poison ID and onion portal"

    date = "2026-02-18"

  strings:

    $s1 = "All your important files have been encrypted!" ascii nocase

    $s2 = "You have 3 days to contact us for negotiation." ascii nocase

    $s3 = "Contact our qtox." ascii nocase

    $s4 = "Our poison ID:" ascii nocase

    $s5 = "Note that this server is available via Tor browser only" ascii nocase

    $tox = "6F7831EBB5EEB933275BD6F4B4AA888918E9B7E40454A477CADDE7EE02461153D3B77AE50798" ascii

    $onion = "bs2tlg32pfjwmclm22cyngqmoo24cdlhfxzbruwrdaxumisfeory32qd.onion" ascii

    $fname = "___RestoreYourFiles___" ascii

  condition:

    filesize < 50KB and

    $tox and $onion and

    2 of ($s1,$s2,$s3,$s4,$s5,$fname)

}

rule Reynolds_Ransomware_BYOVD_NSecKrnl_Feb2026

{

  meta:

    author = "Brandefense"

    description = "Detection Rule for Reynolds ransomware family with bundled BYOVD/NSecKrnl activity and ransom-note artifacts"

    date = "2026-02-18"

  strings:

    /* BYOVD / driver-load related artifacts (observed behavior) */

    $reg_service = "\\REGISTRY\\MACHINE\\SYSTEM\\ControlSet001\\Services\\NSecKrnl\\ImagePath" ascii wide

    $svc_name    = "NSecKrnl" ascii wide

    $driver_path = "\\??\\C:\\ProgramData\\402.sys" ascii wide

    $priv        = "SeLoadDriverPrivilege" ascii wide

    /* Ransom-note payload artifacts (often embedded for drop) */

    $note_name = "___RestoreYourFiles___" ascii wide

    $note_line = "All your important files have been encrypted!" ascii nocase

    $tox = "6F7831EBB5EEB933275BD6F4B4AA888918E9B7E40454A477CADDE7EE02461153D3B77AE50798" ascii

    $onion = "bs2tlg32pfjwmclm22cyngqmoo24cdlhfxzbruwrdaxumisfeory32qd.onion" ascii

  condition:

    uint16(0) == 0x5A4D and pe.is_pe and pe.is_64bit() and

    (

      /* strong BYOVD signal */

      2 of ($reg_service,$svc_name,$driver_path,$priv)

    ) and

    (

      /* tie-back to Reynolds note/portal */

      $note_name or $note_line or ($tox and $onion)

    )

}