In a recent advisory from GuidePoint Security, a significant vulnerability has come to light concerning Microsoft Defender’s ability to thwart certain cyber threats. The report highlights a method by which hackers can circumvent this widely used security software to deploy Akira ransomware.
Exploiting Vulnerabilities
The crux of the issue lies in a legitimate driver known as rwdrv.sys, associated with an Intel CPU tuning tool called ThrottleStop. By exploiting this driver, cybercriminals can achieve kernel-level access to a target PC. This level of access is particularly concerning, as it allows for the installation of malicious drivers without detection.
Once the hacker gains this elevated access, they can introduce their own driver, hlpdrv.sys, which manipulates the Windows Registry. This manipulation effectively disables the protective measures of Microsoft Defender, rendering the system vulnerable to further attacks.
GuidePoint Security has identified this two-pronged approach as the modus operandi for Akira ransomware attacks, which have been increasingly prevalent since July of this year.
Staying Secure
To safeguard against such threats, it is imperative for users to employ reputable antivirus software on their Windows PCs. Regular updates are crucial, as they ensure that systems remain fortified against newly discovered malware definitions.
Further reading: How much antivirus protection do you really need?
This information was initially reported by our sister publication, PC för Alla, and has been translated and adapted from Swedish for our audience.
