The Akira ransomware group is exploiting a legitimate Intel CPU tuning driver (rwdrv.sys) to disable Microsoft Defender in a sophisticated Bring Your Own Vulnerable Driver (BYOVD) attack. Security researchers observed this evasion tactic paired with SonicWall VPN targeting and trojanized software installers, underscoring critical supply chain risks.
In a dangerous evolution of ransomware tactics, the Akira group is weaponizing Intel's trusted ThrottleStop utility driver to dismantle endpoint defenses. GuidePoint Security reports that since mid-July 2025, attackers have deployed 'rwdrv.sys'—a signed driver for CPU tuning—to gain kernel-level access and load a malicious companion driver ('hlpdrv.sys'). This secondary payload then manipulates the Windows Registry to disable Microsoft Defender via a regedit.exe command, specifically targeting:
\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware
This BYOVD (Bring Your Own Vulnerable Driver) technique exploits legitimate but vulnerable signed drivers to bypass security controls—a growing trend among advanced threat actors. As GuidePoint notes: "We are flagging this behavior because of its ubiquity in recent Akira ransomware IR cases. This high-fidelity indicator can be used for proactive detection." The firm has released YARA rules and IoCs to help defenders identify these driver abuses.
Malicious site delivering trojanized software (Source: The DFIR Report)
Compounding the threat, Akira infections often begin via SEO-poisoned searches for IT tools like ManageEngine OpManager. Victims land on spoofed sites (e.g., opmanager[.]pro) that distribute the Bumblebee malware loader via trojanized MSI installers. Once installed, attackers conduct reconnaissance, establish persistence with tools like RustDesk, and exfiltrate data via FileZilla before deploying the ransomware payload after ~44 hours.
Simultaneously, SonicWall warned of targeted attacks against its SSL-VPNs—potentially leveraging an unpatched vulnerability—though researchers haven't confirmed Akira's direct involvement. The vendor advises disabling unused VPN access, enforcing MFA, and enabling Geo-IP blocking.
Critical Mitigations:
- Block vulnerable drivers: Use Microsoft's Vulnerable Driver Blocklist or HVCI
- Verify downloads: Only source software from official vendor sites
- Monitor registry changes: Alert on Defender
DisableAntiSpywaremodifications - Hunt for rwdrv.sys/hlpdrv.sys: Use GuidePoint's published IoCs
As BYOVD attacks escalate, this incident highlights how ransomware groups increasingly weaponize trusted components. Defenders must prioritize kernel-level protection and assume legitimate software can be turned against them.
Comments
Please log in or register to join the discussion