Most modern Windows PCs depend on Microsoft Defender as a primary shield against malware. Over the years, this antivirus solution has matured into a robust and often underappreciated guardian, effectively blocking a myriad of threats. However, a hacker group has devised a method to exploit a legitimate Intel CPU tuning driver in a “Bring Your Own Vulnerable Driver” (BYOVD) attack, effectively disabling Microsoft Defender entirely. This technique has been observed since mid-July 2025 and is already being employed in active ransomware campaigns. Notably, it does not depend on exploiting software bugs or delivering overtly malicious files; rather, it capitalizes on the inherent design of the Windows driver system, which permits deep hardware access.
How Akira ransomware disables Microsoft Defender
The Akira ransomware group has ingeniously bypassed security measures by utilizing a legitimate Intel CPU tuning driver known as rwdrv.sys, sourced from the performance-enhancing tool ThrottleStop. According to security firm GuidePoint Security, attackers load this driver to gain kernel-level access to Windows systems. Subsequently, they install a second malicious driver, hlpdrv.sys, which modifies the DisableAntiSpyware registry setting via regedit.exe, effectively shutting down Microsoft Defender. Once Defender is disabled, attackers can execute additional malicious programs without detection. GuidePoint has consistently identified this method in Akira campaigns since mid-July.
Akira ransomware targets Microsoft Defender and SonicWall VPNs
This same group has also been implicated in attacks against SonicWall VPN devices. SonicWall has indicated that these incidents likely exploit a known vulnerability, CVE-2024-40766, rather than a new zero-day exploit. The company advises immediate defenses such as restricting VPN access, enabling multi-factor authentication, and disabling unused accounts. Akira’s attacks frequently involve data theft, establishing hidden remote access, and deploying ransomware to encrypt files across organizations. Security experts caution that fake or lookalike websites are increasingly being utilized to disseminate these malicious tools.
Researchers at GuidePoint have published a YARA detection rule, along with file names, service names, SHA-256 hashes, and file paths to aid in identifying this activity. They recommend that administrators actively monitor for these indicators, implement filtering and blocking rules as new Indicators of Compromise (IoCs) emerge, and download software exclusively from official or verified sources. Attempts to reach Microsoft for comment were unsuccessful before the deadline.
6 ways to protect yourself against Akira ransomware and similar threats
While the Microsoft Defender attack is both clever and perilous, there are several strategies you can employ to bolster your defenses:
1) Use strong antivirus software
Even with regular updates, Windows systems can remain vulnerable if built-in defenses are disabled. A robust antivirus solution featuring real-time protection, kernel-level monitoring, and frequent updates can serve as a vital backup. This software can alert you to phishing emails and ransomware scams, safeguarding your personal information and digital assets.
2) Limit exposure
Many exploits hinge on user interaction, such as clicking dubious links or downloading compromised files. Stick to reputable websites, avoid unsolicited email attachments, and utilize a browser with built-in security features, like Microsoft Edge or Chrome with Safe Browsing enabled.
3) Avoid running unexpected commands
Refrain from pasting or executing commands (such as PowerShell scripts) that you do not understand or that were copied from untrustworthy sources. Attackers often deceive users into inadvertently running malware through this method.
4) Keep your software updated
Regularly update your operating system, browsers, and all software applications. Updates frequently include patches for security vulnerabilities that malware can exploit.
5) Use two-factor authentication (2FA)
Enable 2FA on all your accounts. This adds an additional layer of security by requiring a second form of verification, making it more challenging for attackers to gain access even if they possess your password.
6) Invest in personal data removal services
Even with strong device security, your personal information may still be exposed online through data brokers and people-finder sites. While no service can guarantee complete removal of your data from the internet, a data removal service can actively monitor and systematically erase your personal information from numerous websites. This proactive approach can significantly reduce the risk of scammers cross-referencing data from breaches with information they might find on the dark web.
