Akira ransomware abuses CPU tuning tool to disable Microsoft Defender
Akira ransomware abuses CPU tuning tool to disable Microsoft Defender — Hacker staring at a box [https://www.bleepstatic.com/content/hl-images/2024/05/07/hack
What’s new: Akira ransomware is exploiting the Intel CPU tuning driver ‘rwdrv.sys’ to disable Microsoft Defender during attacks. This driver is registered as a service to gain kernel-level access, allowing the execution of a second malicious driver, ‘hlpdrv.sys,’ which modifies Windows Defender settings to disable its protections. This tactic has been observed since July 15, 2025, and is categorized as a ‘Bring Your Own Vulnerable Driver’ (BYOVD) attack.
Who’s affected
Organizations using Microsoft Defender and Intel CPU tuning tools are at risk, particularly those with SonicWall VPNs, which have been targeted in recent Akira ransomware attacks.
What to do
- Monitor for Akira-related activity and apply filters as new indicators emerge.
- Disable or restrict SSLVPN access and enforce multi-factor authentication (MFA) on SonicWall devices.
- Only download software from official sites to avoid malware from impersonation sites.
Sources
