Akira ransomware exploits legitimate Intel CPU tuning drivers, specifically ‘rwdrv.sys’ and ‘hlpdrv.sys,’ to disable Microsoft Defender and gain kernel-level access. This technique, part of a Bring Your Own Vulnerable Driver (BYOVD) attack, has been recurrent since July 2025 and is used to evade security tools during attacks, including those on SonicWall SSLVPNs. #AkiraRansomware #BYOVD
Keypoints
- The Akira ransomware abuses signed drivers like ‘rwdrv.sys’ for privilege escalation and disabling Windows Defender.
- Malicious use of the ‘hlpdrv.sys’ driver manipulates Defender settings via regedit.exe.
- Security firm Guidepoint Security has identified this method as a widespread indicator since mid-2025.
- Recent attacks include exploiting SonicWall SSLVPNs, potentially using unknown vulnerabilities or flaws.
- Defense measures include disabling vulnerable drivers, monitoring IoCs, and enforcing multi-factor authentication.