Ethical Hacking News
The rise of ransomware families, BYOVD drivers, and cloud-based attacks highlights the evolving threat landscape in the world of cybersecurity. In this article, we delve into the latest developments in the ransomware landscape, exploring the emergence of new families, the use of BYOVD drivers, and the growing trend of cloud-based attacks.
The world of cybersecurity is constantly evolving with new threats emerging daily. New ransomware families have emerged, including Reynolds, GLOBAL GROUP, Devman, and others, linked to a significant increase in attacks. The use of Bring Your Own Vulnerable Driver (BYOVD) drivers has become a tactic for attackers to evade detection and disable security tools. Cloud-based attacks are on the rise, with ransomware operators targeting cloud storage services, especially misconfigured S3 buckets used by AWS. The number of ransomware attacks increased by 23% in Q4 2025 compared to 2024, with an average ransom payment of $591,988.
The world of cybersecurity is constantly evolving, with new threats emerging every day. One of the most significant concerns in recent times has been the rise of ransomware attacks. These malicious attacks have become increasingly sophisticated, using advanced techniques to evade detection and disable security tools. In this article, we will delve into the latest developments in the ransomware landscape, exploring the emergence of new families, the use of Bring Your Own Vulnerable Driver (BYOVD) drivers, and the growing trend of cloud-based attacks.
In recent months, several new ransomware families have emerged, including Reynolds, GLOBAL GROUP, Devman, DireWolf, NOVA, J group, Warlock, BEAST, Sinobi, NightSpire, and The Gentlemen. These families have been linked to a significant increase in ransomware attacks, with some of them showing a notable increase in activity compared to their predecessors. According to data from Cyble, GLOBAL GROUP was one of the most active ransomware groups in Q4 2025, with its data leak site listings increasing by 306% during this period.
One of the most interesting aspects of these new ransomware families is the use of BYOVD drivers. These drivers are designed to abuse legitimate but flawed driver software to escalate privileges and disable Endpoint Detection and Response (EDR) solutions. This tactic has been used by many ransomware groups in the past, but what's notable about the Reynolds ransomware family is that it embeds a built-in BYOVD driver within its payload.
The use of BYOVD drivers is a significant concern for cybersecurity professionals, as it allows attackers to evade detection and disable security tools. The Symantec and Carbon Black Threat Hunter Team noted in their report that this tactic is not novel and has been observed in Ryuk ransomware attacks in 2020 and in an incident involving Obscura ransomware in late August 2025.
The Reynolds ransomware family also uses a vulnerable NsecSoft NSecKrnl driver, which is susceptible to a known security flaw (CVE-2025-68947, CVSS score: 5.7). This driver has been used by threat actors such as Silver Fox in attacks designed to kill endpoint security tools prior to delivering ValleyRAT.
In addition to the emergence of new ransomware families and the use of BYOVD drivers, there is also a growing trend of cloud-based attacks. Ransomware operators are increasingly targeting cloud storage services, especially misconfigured S3 buckets used by Amazon Web Services (AWS). These attacks often rely on native cloud features to delete or overwrite data, suspend access, or extract sensitive content.
The shift towards cloud-based attacks is significant, as it highlights the growing threat landscape in this area. According to researcher Gautham Ashok, "the return of LockBit 5.0 was one of Q4's biggest shifts, driven by a late-quarter spike that saw the group list 110 organizations in December alone." This output signals a group that can scale execution quickly, convert intrusions into impact, and sustain an affiliate pipeline capable of operating at volume.
The emergence of new players, combined with partnerships forged between existing groups, has led to a significant increase in ransomware activity. Ransomware actors claimed a total of 4,737 attacks during 2025, up from 4,701 in 2024. The number of attacks that don't involve encryption and instead rely purely on data theft as a means to exert pressure reached 6,182 during the same period, a 23% increase from 2024.
As for the average ransom payment, the figure stood at $591,988 in Q4 2025, a 57% jump from Q3 2025. This is driven by a small number of "outsized settlements," according to Coveware's quarterly report last week. The threat actors may return to their "data encryption roots" for more effective leverage to extract ransoms from victims.
The rise of ransomware families, BYOVD drivers, and cloud-based attacks highlights the evolving threat landscape in the world of cybersecurity. As attackers continue to evolve and adapt, it's essential for cybersecurity professionals to stay vigilant and up-to-date with the latest threats and techniques.
In conclusion, the recent surge in ransomware activity is a significant concern for individuals and organizations alike. The emergence of new families, the use of BYOVD drivers, and the growing trend of cloud-based attacks all contribute to this complex threat landscape. As we move forward, it's essential to remain aware of these developments and to take proactive measures to protect ourselves against these threats.
Related Information:
https://www.ethicalhackingnews.com/articles/The-Evolving-Threat-Landscape-Ransomware-Families-BYOVD-Drivers-and-the-Rise-of-Cloud-Based-Attacks-ehn.shtml
Published: Wed Feb 18 20:57:30 2026 by llama3.2 3B Q4_K_M
