Security monitoring teams are tracking a new ransomware strain called Reynolds that merges system sabotage and file encryption into a single delivery package. Instead of relying on separate utilities to weaken defenses, the malware installs a flawed system driver as part of the infection process, allowing it to disable protective software before encrypting data.

The method used is known in security research as Bring Your Own Vulnerable Driver, or BYOVD. This approach abuses legitimate drivers that contain known weaknesses. Because operating systems recognize these drivers as trusted components, attackers can exploit them to gain deep system access and stop endpoint protection tools with reduced risk of detection. This tactic has been repeatedly observed across multiple ransomware operations in recent years.

In the Reynolds incidents, the malware deploys the NSecKrnl driver produced by NsecSoft. This driver contains a publicly documented vulnerability tracked as CVE-2025-68947, rated 5.7 in severity. The flaw allows any running process to be forcibly terminated, which attackers use to shut down security platforms including Avast, CrowdStrike Falcon, Palo Alto Networks Cortex XDR, Sophos with HitmanPro.Alert, and Symantec Endpoint Protection. The same driver has previously been abused by a threat actor known as Silver Fox in campaigns that disabled security tools before deploying ValleyRAT. Silver Fox has also relied on other vulnerable drivers, such as truesight.sys and amsdk.sys, during similar operations.

Security analysts note that integrating defense suppression into ransomware itself is not unprecedented. A comparable approach appeared during a Ryuk ransomware incident in 2020 and later in activity linked to the Obscura ransomware family in August 2025. Folding multiple attack stages into a single payload reduces operational complexity for attackers and decreases the number of separate files defenders might detect.

Investigations into recent intrusions uncovered signs of long-term preparation. A suspicious loader that used side-loading techniques was found on victim networks several weeks before encryption occurred. Following deployment of the ransomware, a remote access program known as GotoHTTP was installed within one day, indicating an effort to preserve long-term control over compromised systems.

Parallel ransomware campaigns reveal additional shifts in attacker behavior. Large phishing operations are circulating shortcut file attachments that trigger PowerShell scripts, leading to the installation of Phorpiex malware, which then delivers GLOBAL GROUP ransomware. This ransomware conducts all operations locally and does not transmit stolen data, allowing it to function in networks without internet access. Other campaigns tied to WantToCry have exploited virtual machines provisioned through ISPsystem, a legitimate infrastructure management service, to distribute malware at scale. Some of the same hosting infrastructure has been linked to LockBit, Qilin, Conti, BlackCat, and Ursnif, as well as malware families including NetSupport RAT, PureRAT, Lampion, Lumma Stealer, and RedLine Stealer.

Researchers assess that bulletproof hosting providers are renting ISPsystem virtual machines to criminal actors by abusing a design flaw in VMmanager’s default Windows templates. Because these templates reuse identical hostnames and system identifiers, thousands of virtual machines can be created with the same fingerprint, making takedown efforts more difficult.

Ransomware groups are also expanding their business models. DragonForce now provides affiliates with a “Company Data Audit” service, which includes risk assessments, pre-written call scripts, executive-level letters, and negotiation guidance. The group operates as a cartel that allows affiliates to launch their own brands while sharing infrastructure and services.

Technical changes are shaping newer ransomware versions. LockBit 5.0 has replaced AES encryption with ChaCha20 and now targets Windows, Linux, and ESXi environments. The latest version includes file wiping capabilities, delayed execution, encryption progress tracking, improved evasion techniques, stronger in-memory operation, and reduced disk footprints. The Interlock group continues to target organizations in the United Kingdom and United States, particularly in education. One attack exploited a zero-day vulnerability in the GameDriverx64.sys anti-cheat driver, tracked as CVE-2025-61155 with a 5.5 severity score, to disable security tools using BYOVD methods. The same campaign deployed NodeSnake, also known as Interlock RAT or CORNFLAKE, with MintLoader identified as the initial access point.

Targeting strategies are also shifting toward cloud storage. Poorly configured Amazon Web Services S3 buckets are being abused through native platform functions to erase data, restrict access, overwrite files, or quietly extract sensitive information while remaining difficult to detect.

Industry tracking from Cyble indicates that GLOBAL GROUP is among several ransomware crews that appeared in 2025, alongside Devman, DireWolf, NOVA, J group, Warlock, BEAST, Sinobi, NightSpire, and The Gentlemen. ReliaQuest reported that Sinobi’s data leak activity increased by 306 percent in the final quarter of 2025, ranking it third behind Qilin and Akira. LockBit’s resurgence included 110 victim listings in December alone. Researchers estimate that ransomware actors claimed 4,737 attacks in 2025, compared with 4,701 in 2024. Incidents centered only on data theft rose to 6,182, reflecting a 23 percent increase. Coveware reported that average ransom demands reached $591,988 in late 2025, driven by a small number of exceptionally large settlements, and warned that attackers may shift back toward encryption-based extortion to increase pressure on victims.