Key Takeaways:<\/p>\n\n\n\n
Akira ransomware operators are deploying a new tactic to disable Microsoft Defender by misusing a legitimate driver from ThrottleStop, an Intel CPU tuning tool. The driver, rwdrv.sys, is exploited in a BYOVD (Bring Your Own Vulnerable Driver) attack, allowing adversaries to execute code with kernel-level privileges.<\/p>\n\n\n\n
After loading the signed but vulnerable rwdrv.sys, the attackers install a malicious driver, hlpdrv.sys. This driver alters registry settings\u2014specifically the DisableAntiSpyware key\u2014to effectively turn off Microsoft Defender protections without triggering standard security alerts.<\/p>\n\n\n\n
Researchers at GuidePoint Security uncovered this method and observed its use in multiple Akira ransomware incidents since mid-July 2025. The attack path demonstrates a growing trend among ransomware groups to evade detection by leveraging trusted components for malicious purposes.<\/p>\n\n\n\n
Once elevated privileges are achieved, the malware disables Defender\u2019s scanning and telemetry features, creating an environment where encryption operations can proceed unimpeded. GuidePoint provided a YARA rule to detect the presence of hlpdrv.sys, along with additional IoCs to help defenders identify infected systems.<\/p>\n\n\n\n
Akira\u2019s operators have also been active in targeting SonicWall SSLVPN devices. Although no zero-day has been confirmed, reports suggest that even fully patched systems were compromised. This has raised concerns that an undisclosed vulnerability might be in play.<\/p>\n\n\n\n
To mitigate risk, organizations are advised to remove or block known vulnerable drivers like rwdrv.sys if not needed, monitor for signs of hlpdrv.sys activity, and audit Microsoft Defender settings for unauthorized changes. Network administrators should also limit or disable access to SSLVPN services unless multi-factor authentication is enforced and access controls are thoroughly reviewed.<\/p>\n\n\n\n
The BYOVD method is not new, but its continued success highlights a persistent gap in endpoint security. Signed drivers\u2014especially those from trusted sources\u2014can be used as powerful weapons if not carefully controlled. Microsoft has introduced driver blocklists to help curb this risk, but not all organizations enforce these protections consistently.<\/p>\n\n\n\n
As ransomware groups like Akira evolve their methods, defenders must go beyond traditional signature-based detection and look for behavioral patterns\u2014such as unexpected driver installations, service modifications, and sudden changes to Defender configurations.<\/p>\n\n\n\n
Akira remains an active and well-coordinated threat actor known for double-extortion tactics, where data is exfiltrated before encryption. This enables the group to pressure victims into paying by threatening to leak sensitive data if a ransom is not met.<\/p>\n\n\n\n
Security professionals should stay updated with the latest threat intelligence and incorporate detection rules like those provided by GuidePoint to enhance visibility. As attackers continue to blur the lines between legitimate and malicious software use, defensive strategies must adapt accordingly.<\/p>\n","protected":false},"excerpt":{"rendered":"
Key Takeaways: Akira ransomware operators are deploying a new tactic to disable Microsoft Defender by misusing a legitimate driver from ThrottleStop, an Intel CPU tuning tool. The driver, rwdrv.sys, is exploited in a BYOVD (Bring Your Own Vulnerable Driver) attack, allowing adversaries to execute code with kernel-level privileges. After loading the signed but vulnerable rwdrv.sys,<\/p>\n","protected":false},"author":44,"featured_media":24512,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[156],"tags":[],"post_mailing_queue_ids":[],"_links":{"self":[{"href":"https:\/\/blog.tmcnet.com\/blog\/rich-tehrani\/wp-json\/wp\/v2\/posts\/24511"}],"collection":[{"href":"https:\/\/blog.tmcnet.com\/blog\/rich-tehrani\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.tmcnet.com\/blog\/rich-tehrani\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.tmcnet.com\/blog\/rich-tehrani\/wp-json\/wp\/v2\/users\/44"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.tmcnet.com\/blog\/rich-tehrani\/wp-json\/wp\/v2\/comments?post=24511"}],"version-history":[{"count":1,"href":"https:\/\/blog.tmcnet.com\/blog\/rich-tehrani\/wp-json\/wp\/v2\/posts\/24511\/revisions"}],"predecessor-version":[{"id":24513,"href":"https:\/\/blog.tmcnet.com\/blog\/rich-tehrani\/wp-json\/wp\/v2\/posts\/24511\/revisions\/24513"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/blog.tmcnet.com\/blog\/rich-tehrani\/wp-json\/wp\/v2\/media\/24512"}],"wp:attachment":[{"href":"https:\/\/blog.tmcnet.com\/blog\/rich-tehrani\/wp-json\/wp\/v2\/media?parent=24511"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.tmcnet.com\/blog\/rich-tehrani\/wp-json\/wp\/v2\/categories?post=24511"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.tmcnet.com\/blog\/rich-tehrani\/wp-json\/wp\/v2\/tags?post=24511"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}