The Reveal Platform
Reynolds Ransomware employs a Bring Your Own Vulnerable Driver (BYOVD) strategy to disable endpoint defenses before initiating encryption. The malware embeds a legitimately signed but vulnerable kernel driver, NSecKrnl.sys, and exploits CVE-2025-68947 to obtain kernel-level privileges.
By achieving kernel-mode execution, Reynolds is able to programmatically terminate endpoint protection processes and disable real-time monitoring controls, executing its encryption routine with a reduced user-mode detection surface and limited response opportunity.
Its attack progression can be summarized as follows:
Reynolds carries an embedded copy of NSecKrnl.sys within its package. Upon execution, the driver is dropped to disk and loaded into the system, eliminating reliance on pre-existing vulnerable drivers on the victim host.
Using crafted IOCTL requests, the malware abuses CVE-2025-68947 to escalate privileges to kernel level, enabling high-privilege operations beyond user-mode restrictions.
With kernel access established, Reynolds forcefully terminates targeted Anti-Virus (AV) and Endpoint Detection and Response (EDR) processes, effectively impairing monitoring and response mechanisms.
Once defenses are neutralized, the ransomware proceeds with multi-threaded hybrid encryption across local and network drives, appending the .locked extension and deploying ransom instructions.
This embedded-driver approach represents a deliberate evolution in ransomware tradecraft, prioritizing pre-encryption defense evasion to maximize operational impact.
Unlike conventional ransomware relying solely on user-mode evasion, Reynolds embeds its own copy of a vulnerable signed driver:
C:\ProgramData\402.sysThis eliminates dependency on a pre-installed vulnerable driver.
Unlike conventional BYOVD attacks that depend on the presence of a vulnerable driver already installed on the victim’s machine, Reynolds ransomware carries its own embedded copy of NSecKrnl.sys within the malware package. Upon execution, the driver is written to “C:\ProgramData\402.sys(NSeckrnl.sys)” as shown in above image and loaded directly into the system as shown in below image.
The malware drops the driver to disk under the name 402.sys as a simple obfuscation and evasion technique. However, once the driver is loaded, Windows displays it as Nseckrnl.sys because that is the internal driver or service name embedded within the binary and registered during the loading process.
Such discrepancies between the on-disk filename and the internal driver name are common in malicious drivers. This tactic helps evade basic detection mechanisms and allows the malware to masquerade as a legitimate system component, increasing the likelihood that it will go unnoticed.
The Reynolds ransomware is targeting a broad range of enterprise security vendors including
Sophos, Symantec, Microsoft Defender, CrowdStrike, Cylance, Trend Micro, ESET, Avast.
Below is the list of specific process names identified as being targeted by the malware.
| Sophos UI.exe | SEDService.exe | SophosHealth.exe | SophosFS.exe |
| SophosFileScanner.exe | McsAgent.exe | McsClient.exe | SophosLiveQueryService.exe |
| SophosNtpService.exe | hmpalert.exe | Sophos.Encryption.BitLockerService.exe | SophosOsquery.exe |
| SymCorpUI.exe | SISIPSService.exe | SISIDSService.exe | SmcGui.exe |
| sepWscSvc64.exe | MsMpEng.exe | CSFalconService.exe | cydump.exe |
| cyrestart.exe | cyrprtui.exe | cyserver.exe | cytool.exe |
| cyuserserver.exe | CyveraConsole.exe | tlaworker.exe | ekrn.exe |
| egui.exe | aswEngSrv.exe | aswidsagent.exe | AvastUI.exe |
| SSPService.exe | SophosNetFilter.exe | ccSvcHst.exe | sisipsutil.exe |
| cyreport.exe | cytray.exe | eguiProxy.exe |
Reynolds ransomware uses the Windows API function CreateFileW(L”\\\\.\\NSecKrnl”, …) to obtain a handle to a device object exposed by a driver named NSecKrnl. The \\\\.\\ prefix indicates communication with a kernel-mode driver rather than a regular file. Once the handle is acquired, the malware invokes DeviceIoControl() to send custom I/O control (IOCTL) codes to the driver. These crafted IOCTL requests instruct the driver to perform kernel-mode process termination operations against targeted security services, particularly Endpoint Detection and Response (EDR) and other security-related services.
The following demonstration illustrates a proof-of-concept invocation, a custom tool (NSec-Killer.exe) loads a driver (NSecKrnl.sys) and terminates the msmpeng.exe process, which belongs to Microsoft Defender Antivirus.
The console output confirms the driver service started successfully and the process was terminated.
Windows Security displays “Threat service has stopped”, indicating that real-time protection is disabled.
The code dynamically reconstructs and resolves the Windows APIs OpenProcess, Process32FirstW, and Process32NextW at runtime to enumerate active processes. It leverages CreateToolhelp32Snapshot to obtain a system-wide process snapshot and iterates through each entry, comparing process names against a specified target to identify the corresponding PID. The retrieved PID is supplied to DeviceIoControl() enabling a driver-assisted operation such as process termination against the targeted process.
The sample employs dynamic API resolution through runtime string reconstruction and GetProcAddress-based function pointer invocation to reduce static detection artifacts.
The malware systematically enumerates all accessible drives on the system, excluding CD-ROM drives (DRIVE_CDROM) and unknown media types (DRIVE_UNKNOWN). It uses GetLogicalDrives() to retrieve available drive letters and GetDriveType to determine the type of each drive.
If the drive type is identified as DRIVE_REMOTE (network drive), the malware calls WNetGetConnectionW to resolve the corresponding UNC path of the shared resource. This ensures it targets the actual network location rather than just the mapped drive letter. For local drives, it directly uses the drive root path for file processing.
By encrypting files across both local and network-mounted drives, the malware maximizes impact and extends damage beyond a single machine. This comprehensive storage targeting is a strategy designed to affect shared organizational data and increase pressure on victims.
GetSystemInfo() is a Windows API that retrieves hardware details, including the number of logical CPU cores (dwNumberOfProcessors). Ransomware uses it to determine how many worker threads to create. It creates “2 × the_core_count” threads to maximize CPU usage and encrypt files faster before detection.
One of the reasons Reynolds Ransomware encrypts victim environments so quickly is its ability to use multithreading to speed up file encryption by creating multiple worker threads based on the system’s CPU core count. The code responsible for this behavior as shown in Fig 8 acts as the ransomware’s custom thread pool manager.
Instead of relying on a single-threaded encryption routine, Reynolds ransomware intelligently distributes the file encryption mechanism across multiple threads.
This achieves critical goals:
Modern ransomware increasingly abuses legitimate Windows components to improve encryption efficiency and bypass file locks. One such component is Restart Manager, implemented in rstrtmgr.dll.
Restart Manager was designed to identify processes which are holding locks on specific files so that applications can request those processes to release resources. However, ransomware operators have repurposed this functionality to unlock files that are actively in use such as databases, documents, or server-side applications before encrypting them.
The Reynolds ransomware implements HC-128 directly in its code as a symmetric stream cipher to encrypt file contents, rather than relying on an external cryptographic library. It also embeds its own implementation of Curve25519 (X25519) for elliptic curve–based key exchange, instead of calling standard ECC APIs.
This design follows a typical hybrid encryption model used in modern ransomware: the asymmetric ECC component securely generates or protects the encryption key, while the high-performance symmetric cipher handles bulk file encryption. By combining these two mechanisms, the malware achieves both strong cryptographic security and efficient processing speed.
Within fun_1400050c0, Reynolds processes smaller files across their full length but implements an intermittent block-level encryption pattern, encrypting 0x40 bytes and then skipping 0x40 bytes in a continuous loop. The same alternating block mechanism is applied inside each designated 1 MB chunk for larger files. This design accelerates the encryption process while still causing sufficient file corruption to render recovery impractical.
| File Size Range | Encryption Strategy | Amount Encrypted | Percentage Encrypted | Impact |
| < 5 MB | Intermittent (striped) | Alternative 0x40 bytes are encrypted | ~50% | Partial file encryption |
| 5 MB – 20 MB | Partial – 3 chunks | 3 × 1 MB chunks evenly spaced | 15% – 20% | Strategic sections encrypted |
| > 20 MB | Partial – intermittent | 1 MB per every 10 MB | ~5% | Minimal encryption for speed |
The ransomware implements a predefined exclusion list to avoid encrypting specific system-critical directories and files. This selective approach helps maintain system stability and ensures the malware can complete execution without disrupting essential operating system components.
Encrypted files are renamed by the appending “.locked” extension, and a ransom note titled “RestoreYourFiles.txt” is placed in every affected directory.
Skips “.exe”, “.dll” :- It avoids encrypting “.exe” and “.dll” files to prevent breaking executable programs and critical system components, ensuring the system remains functional so the ransomware operator can maintain communication with the victim.
Skips “.sys” :- It skips encrypting kernel drivers and critical system files to prevent Windows from crashing before the encryption process finishes including potentially its own dropped driver(402.sys).
Skips “.locked” :- It ignores files that are already encrypted to prevent encrypting them a second time.
The ransom note displayed in Fig 12 (__RestoreYourFiles__.txt) provides instructions for victims to establish contact with the threat actors for data recovery. A copy of the note is systematically dropped into every directory containing encrypted files and is also placed on the victim’s desktop to ensure maximum visibility.
The Reynolds ransomware group has updated their dark web leak site, claiming a successful breach of Falcon Management Corp.
Although the leak site states that data will be leaked within 3, 6, and 14 days, there is currently no evidence that any victim data has been publicly released. At this time, the site appears to contain only countdown notices without any actual leaked content to threaten the victims.
hxxps[:]//qtox[.]github[.]io
Reynolds ransomware leverages qTox for victim communication, utilizing the decentralized Tox protocol to establish end-to-end encrypted peer-to-peer channels. Because qTox operates without centralized servers or account registration, it significantly reduces the risk of infrastructure takedown or communication interception during ransom negotiations.
The Poison ID is a unique victim identifier generated by the ransomware and displayed in the ransom note. When contacting the attackers via qTox, victims are required to provide this ID so the operators can identify the corresponding encryption key and proceed with negotiation.
| Tactic | Technique ID | Technique Name | Observed Activity |
| Execution | T1569.002 | Service Execution | Loading and executing the dropped vulnerable driver. |
| Privilege Escalation | T1068 | Exploitation for Privilege Escalation | Exploits CVE-2025-68947 in NSecKrnl driver for kernel-level access. |
| Defense Evasion | T1562.001 | Impair Defenses – Disable or Modify Security Tools | Terminates EDR and AV processes via kernel driver. |
| Defense Evasion | T1027 | Obfuscated/Compressed Files and Information | UPX packing compresses and modifies the binary structure to evade static detection and signature-based antivirus engines. |
| Defense Evasion | T1036 | Masquerading | Drops driver as 402.sys to appear benign |
| Discovery | T1057 | Process Discovery | Uses CreateToolhelp32Snapshot, Process32FirstW, Process32NextW to enumerate processes. |
| Discovery | T1082 | System Information Discovery | Uses GetSystemInfo() to retrieve CPU core count. |
| Discovery | T1135 | Network Share Discovery | Enumerates network drives using WNetGetConnectionW. |
| Discovery | T1083 | File and Directory Discovery | Enumerates local and network drives for file encryption. |
| Impact | T1486 | Data Encrypted for Impact | Encrypts files. |
| Command & Control | T1071 | Application Layer Protocol | Communication via TOR onion service and qTox. |
| Command & Control | T1573 | Encrypted Channel | Uses encrypted communication channels (Tor/qTox). |
File Hashes (SHA-256)
| IOC | FileName |
| 6bd8a0291b268d32422139387864f15924e1db05dbef8cc75a6677f8263fa11d | reynolds.exe |
| 206f27ae820783b7755bca89f83a0fe096dbb510018dd65b63fc80bd20c03261 | NSeckrnl.sys |
| c3bca7c9e5b0d3d9dadcae78ca79ee687c8f93d3e59500e86f03685d9ee4db70 | ___RestoreYourFiles___.txt |
Gurucul’s Unified Security and Risk Analytics platform provides layered detection capabilities that enable identification of the multi-stage execution chain of Reynolds ransomware. By combining behavioral analytics, UEBA, endpoint telemetry correlation, and network anomaly detection, Gurucul enables early detection of pre-encryption activity, privilege escalation, and command-and-control communication before large-scale file encryption occurs.
Reynolds ransomware exhibits several behavioral indicators that deviate from normal enterprise activity. Gurucul UEBA baselines standard user and host behavior to detect:
These behaviors generate contextual risk signals that are aggregated into dynamic risk scores, enabling analysts to identify high-risk endpoints before widespread impact.
Gurucul’s threat models aligned with the MITRE ATT&CK framework enable mapping of Reynolds ransomware techniques, including:
This alignment helps security teams understand attacker progression and implement control validation across the attack lifecycle.
Reynolds uses high-speed encryption to process large volumes of files efficiently. Gurucul detects ransomware encryption behavior through:
Behavior-based monitoring allows detection even when the ransomware binary is previously unseen and not signature-matched.
Rather than generating isolated alerts, Gurucul correlates weak signals across:
These signals are aggregated into a unified risk-based alert, reducing alert fatigue and enabling rapid triage with full contextual visibility.
Reynolds ransomware demonstrates how modern ransomware families combine hybrid cryptography, obfuscation techniques, deliberate kernel-level driver exploitation, and encrypted negotiation channels to maximize impact while evading traditional detection methods.
By leveraging behavior-driven analytics, UEBA, and correlated endpoint-network intelligence, Gurucul supports early-stage detection and containment, reducing dwell time, operational disruption, and data loss.
Contributors:
Pandurang Terkar
Siva Prasad Boddu
Rudra Pratap
