Reynolds Ransomware: Disables Security Before Encrypting Data

Reynolds is a ransomware threat identified in early 2026. Its key capability is disabling security tools before encrypting files.

It achieves this by installing a legitimately signed but vulnerable Windows driver. This technique, known as Bring Your Own Vulnerable Driver (BYOVD), grants attackers kernel-level access, allowing them to disable antivirus and endpoint detection systems. Once protections are neutralised, file encryption begins. In 2026, cybersecurity researchers found that the Reynolds ransomware attack embedded a vulnerable BYOVD within its payload to disable EDR tools before encrypting systems.

Simply put: it turns off your protection before locking your data.

Initial Access Methods

Reynolds likely spreads through common ransomware methods:

1. Phishing emails (malicious links or attachments)
2. Stolen or weak passwords (VPN, RDP, admin accounts)
3. Unpatched software vulnerabilities
4. Exposed or misconfigured remote access services

Once attackers gain administrative access, they can install the malicious driver and begin the attack.

Warning Signs

Watch for:
1. Unexpected installation of new system drivers
2. Antivirus or security tools suddenly stopping
3. Multiple systems losing protection simultaneously
4. Sudden spikes in file modifications or encrypted files

Unexplained driver installations should be treated as high-severity security incidents — even if encryption has not yet started.

Recommendations

To reduce risk:

1. Enable the Microsoft Vulnerable Driver Blocklist (or equivalent controls)
2. Restrict driver installation to trusted administrators only
3. Enforce multi-factor authentication (MFA) for remote access
4. Apply least-privilege access principles
5. Keep systems and software fully patched
6. Enable tamper protection in endpoint security tools
7. Maintain offline, regularly tested backups

Backups are critical. If ransomware cannot access backup systems, recovery is significantly faster and less disruptive.