What’s new: Akira ransomware is exploiting the Intel CPU tuning driver ‘rwdrv.sys’ to disable Microsoft Defender during attacks. This technique involves a ‘Bring Your Own Vulnerable Driver’ (BYOVD) approach, allowing attackers to gain kernel-level access and manipulate Windows Defender settings. The malicious driver ‘hlpdrv.sys’ is used to turn off anti-spyware protections. Guidepoint Security has observed this behavior since July 15, 2025, and has provided YARA rules and indicators of compromise (IoCs) for detection.
Who’s affected
Organizations using Microsoft Defender and those with SonicWall VPNs are at risk, particularly in light of recent attacks linked to Akira ransomware. The threat actors have been observed using SEO poisoning to deliver malware through trojanized software installers.
What to do
- Monitor for Akira-related activity and apply filters as new indicators emerge.
- Disable or restrict SSLVPN access on SonicWall devices and enforce multi-factor authentication (MFA).
- Only download software from official sites to avoid malicious impersonation sites.
