TL;DR: Reynolds ransomware uses a Bring Your Own Vulnerable Driver pattern to load NSecKrnl.sys, gain kernel-level execution, terminate AV and EDR processes, and then encrypt local and network drives, according to Gurucul. When ransomware can disable defenses before encryption begins, detection, containment, and identity-aware control validation all become time-critical.
NHIMG editorial — based on content published by Gurucul: Reynolds ransomware BYOVD abuse of NSecKrnl.sys for kernel-level defense evasion
By the numbers:
- 80% of identity breaches involved compromised non-human identities such as service accounts and API keys.
- 71% of NHIs are not rotated within recommended time frames, increasing the risk of compromise over time.
- 79% of organisations have experienced secrets leaks, with 77% of these incidents resulting in tangible damage.
Questions worth separating out
Q: What breaks when ransomware can load a vulnerable signed driver?
A: Endpoint trust breaks down because the malware can move from user mode into kernel mode while still appearing to use a legitimate driver.
Q: Why do vulnerable drivers make ransomware more dangerous than file encryption alone?
A: Vulnerable drivers let attackers disable the very tools meant to detect them, so the ransomware can operate with reduced interference.
Q: How can security teams tell driver abuse from ordinary software activity?
A: Look for a new driver load followed by process termination, security service stoppage, unusual API resolution, and rapid file modifications from the same host.
Practitioner guidance
- Block vulnerable signed drivers before load Maintain a denylist of known-abused drivers and enforce vulnerable driver block controls at the endpoint and via policy.
- Correlate driver load events with security service stoppage Alert when a new driver load is followed by AV or EDR process termination, service disablement, or Windows Security reporting that protection has stopped.
- Monitor for abnormal drive enumeration and share resolution Detect rapid GetLogicalDrives-style enumeration patterns, network share resolution, and sudden access to multiple mounted paths from a single host.
What's in the full article
Gurucul's full blog covers the operational detail this post intentionally leaves for the source:
- IOCTL-level driver abuse details showing how NSecKrnl.sys is used to terminate security processes
- IOC lists including file hashes and named process targets for detection engineering work
- MITRE ATT&CK mappings for execution, privilege escalation, defense evasion, discovery, and impact
- Behavioural detection patterns across endpoint telemetry, file activity, and network communication
👉 Read Gurucul's analysis of Reynolds ransomware and BYOVD abuse →
BYOVD abuse in Reynolds ransomware: what defenders need to know?
Explore further
Kernel trust is the real attack surface here: Reynolds succeeds because endpoint trust models still assume that a signed driver is safe enough to load. That assumption fails when the driver is vulnerable and the payload is designed to command it directly. The implication is that driver trust must be treated as an access decision, not a binary allow or deny on signature alone.
A few things that frame the scale:
- 80% of identity breaches involved compromised non-human identities such as service accounts and API keys, according to the Ultimate Guide to NHIs.
- 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures, according to NHI Mgmt Group research.
A question worth separating out:
Q: Who is accountable when a trusted driver is abused to disable defenses?
A: Accountability usually spans endpoint engineering, vulnerability management, and security operations because the failure sits at the boundary between code trust and runtime control. The governance issue is not only who patched the driver, but who maintained visibility into what privileged components were allowed to load and run.
👉 Read our full editorial: Reynolds ransomware shows how BYOVD breaks endpoint defenses