Many current Windows PCs depend on Microsoft Defender as the primary defense against malware. Over time, it has developed into a solid yet often overlooked tool that tackles various threats. Yet, a hacker group has figured out how to completely disable Microsoft Defender, exploiting legitimate Intel CPU tuning drivers in what’s known as “bring your own vulnerable drivers” (BYOVD) attacks.
This technique first emerged around mid-July 2025 and is already being employed in ongoing ransomware attacks. Instead of relying on common software vulnerabilities or delivering obviously harmful files, this strategy utilizes the deep hardware access that Windows driver systems are designed to permit.
So, let’s break down what you should know about these attacks and how you can protect yourself.
How are scammers getting to you without social media?
Understanding How Akira Ransomware Disables Microsoft Defender
The Akira Ransomware Group has come up with a novel approach to evade security measures using a legitimate Intel CPU tuning driver called RWDRV.SYS from the ThrottLestop performance tool. Security firm GuidePoint reported that attackers load this driver to gain kernel-level access to the Windows system, followed by the installation of another malicious driver, HLPDRV.SYS.
Once Microsoft Defender is out of commission, attackers are free to deploy other malicious software undetected. This technique has been frequently spotted in the Akira campaign since July.
Akira Ransomware and SonicWall VPNs
This group is also associated with attacks on SonicWall VPN devices. According to SonicWall, these incidents likely stem from a known vulnerability, CVE-2024-40766, rather than representing a fresh zero-day exploit. The company suggests immediate defensive measures, such as limiting VPN access, enforcing multi-factor authentication, and disabling inactive accounts.
Akira’s activities often involve stealing data, creating hidden remote access points, and encrypting files for ransomware. Experts caution that counterfeit or visually similar websites are more frequently being utilized to distribute these malicious tools.
GuidePoint researchers have published Yara detection rules along with filenames and file paths to help identify this malicious activity. Administrators are advised to monitor these indicators actively, implement filtering and blocking protocols, and to only download software from verified sources.
Attempts to reach Microsoft for comments went unanswered by the deadline.
Ways to Guard Yourself Against Similar Threats from Akira Ransomware
While the methods used by Akira Ransomware are advanced and quite concerning, there are still ways to protect yourself:
1) Use Strong Antivirus Software
Regular updates are essential; if Defender is disabled, you leave your system vulnerable. Robust antivirus software with real-time protection and regular updates can provide necessary safeguards. It can protect against phishing attempts and ransomware threats, keeping your personal information secure.
2) Limit Your Exposure
Many attacks depend on user interaction, like clicking on dubious links or downloading compromised files. Stick to trusted websites and ensure that you don’t open unsolicited email attachments. Using a browser with security features can also be helpful.
3) Avoid Unexpected Command Execution
Never execute commands or scripts from unknown sources or random websites. Attackers often trick users into running harmful scripts without their knowledge.
4) Keep Software Updated
Regularly update your operating system, browsers, and software applications to patch any vulnerabilities that malware could exploit.
5) Enable Two-Factor Authentication (2FA)
Implement 2FA on all accounts. This extra verification step can significantly hinder attackers even if they manage to obtain your password.
6) Invest in Personal Data Removal Services
Even strong security may not keep your personal information safe if it’s published online. Although no service can guarantee complete data removal, data deletion services can help by monitoring and removing your information from various sites.
These services do come at a cost, but they can offer peace of mind by limiting the information available to potential scammers.
The tactics used by Akira highlight a more significant issue—how Windows trusts certain tools. Legitimate CPU tuning drivers are being exploited to disable vital security. It challenges the assumption that hackers always come from the outside; sometimes, they are already inside the system, operating within established trust boundaries.
What do you think? Should Microsoft take more decisive action against ransomware groups that compromise their defenses?
