Akira Ransomware Exploits CPU Tool to Bypass Microsoft Defender
▼ Summary
– Akira ransomware abuses the legitimate Intel driver ‘rwdrv.sys’ to gain kernel-level access and disable Microsoft Defender by loading a malicious driver ‘hlpdrv.sys’.
– This attack is a ‘Bring Your Own Vulnerable Driver’ (BYOVD) tactic, exploiting signed drivers with known vulnerabilities to escalate privileges and disable security tools.
– Guidepoint Security observed repeated abuse of ‘rwdrv.sys’ in Akira attacks since July 2025 and provided detection tools like YARA rules and IoCs for defenders.
– Akira ransomware has also targeted SonicWall VPNs, potentially exploiting an unknown flaw, prompting SonicWall to recommend disabling SSLVPN and enforcing MFA.
– Recent Akira attacks involved Bumblebee malware delivered via trojanized MSI installers, with attackers exfiltrating data before deploying ransomware after ~44 hours.
A sophisticated ransomware campaign is leveraging a legitimate Intel processor utility to disable Microsoft Defender protections before deploying its malicious payload. Security researchers have identified this as a BYOVD (Bring Your Own Vulnerable Driver) attack, where threat actors exploit signed but flawed drivers to gain elevated system access.
The Akira ransomware group has been weaponizing Intel’s ThrottleStop tuning driver (rwdrv.sys) to bypass endpoint defenses. Once registered as a kernel-level service, the driver loads a second malicious component (hlpdrv.sys), which directly manipulates Windows Defender registry settings. By modifying the DisableAntiSpyware value, attackers effectively neutralize critical security checks before executing their encryption routines.
According to incident responders, this technique surfaced in mid-July 2025 and has since become a hallmark of Akira intrusions. Guidepoint Security provided detection rules and indicators of compromise (IoCs), including service names and file paths associated with the rogue drivers. The malware alters Defender configurations via regedit.exe, leaving systems exposed to further exploitation.
Parallel attacks targeting SonicWall VPNs have also been tied to Akira, though whether these involve unpatched zero-day vulnerabilities remains unconfirmed. SonicWall recommends disabling SSLVPN where possible, enforcing multi-factor authentication (MFA), and enabling Botnet/Geo-IP filters as precautionary measures.
Additional analysis reveals Akira’s reliance on Bumblebee malware, often distributed through fake software installers. Cybercriminals use SEO poisoning to push malicious sites, like a spoofed ManageEngine OpManager page, that deliver compromised MSI packages. Once executed, Bumblebee establishes persistence via AdaptixC2, while attackers move laterally using tools like FileZilla, RustDesk, and SSH tunnels. The ransomware payload typically deploys after 44 hours of reconnaissance.
Proactive defense strategies include:
- Monitoring for registry changes related to DisableAntiSpyware
- Restricting driver installations to authorized vendors
- Validating software downloads exclusively through official sources
- Applying emerging IoCs to block known malicious services and file hashes
As Akira continues evolving its tactics, organizations must prioritize real-time threat hunting and strict access controls to mitigate risks.
(Source: BLEEPING COMPUTER)
