Akira Ransomware Uses CPU Tool to Disable Microsoft Defender

Akira ransomware has found a new way to bypass Windows defenses: it’s using a legitimate Intel driver, originally designed to tweak CPU performance, to disable Microsoft Defender and other security tools on the systems it attacks.

The driver in question is rwdrv.sys, part of the ThrottleStop software, which is typically used to modify processor behavior. Attackers register it as a system service to gain kernel-level access—meaning the highest privileges available in Windows.

Once they have that access, it’s believed they use it to load a second driver, called hlpdrv.sys, which is fully malicious. This tool manipulates Microsoft Defender’s internal settings and disables its key protections, leaving the system completely exposed to ransomware encryption.

How Akira Uses Vulnerable Drivers to Disable Defender

This is a clear example of a BYOVD (Bring Your Own Vulnerable Driver) attack—a technique where cybercriminals leverage legitimate signed drivers with known vulnerabilities to gain privileged access to a system.

In this case, Akira ransomware uses the rwdrv.sys driver to reach Windows’ kernel level. From there, they load a second malicious driver, hlpdrv.sys, also registered as a system service.

This second driver has a very specific function: to modify the Windows Registry to disable Microsoft Defender. Specifically, it changes the value of the following key:

\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware

To do this, the malware silently runs regedit.exe, manipulating system policies without the user noticing. This leaves the machine fully exposed, without Defender’s real-time protection, giving ransomware free rein to encrypt files.

This technique has been repeatedly observed in recent Akira attacks, especially since mid-July 2025. Its consistent use makes it a high-fidelity indicator, useful for both proactive detection and forensic analysis or threat hunting.

These tactics demonstrate how even legitimate software can become a dangerous tool when it falls into the wrong hands, reinforcing the need for security measures that go beyond traditional antivirus solutions.

Akira Targets SonicWall SSLVPNs and Uses Advanced Infection Techniques

Akira ransomware continues to expand its reach and has recently been linked to attacks targeting SonicWall SSL VPNs, possibly exploiting a still unidentified vulnerability in these devices.

Although there is no official confirmation of a zero-day flaw, cybersecurity experts have observed attack patterns that suggest active exploitation. For now, it’s unclear whether Akira is using a brand-new bug or simply taking advantage of poorly secured configurations.

In response to the rise in malicious activity, SonicWall has recommended urgent preventive measures, including:

1. Disabling or restricting SSLVPN use if not essential

2. Enabling multi-factor authentication (MFA) for all access

3. Activating protection against botnets and malicious IP addresses

4. Removing old or inactive user accounts that attackers might exploit

Additionally, new initial access tactics used by Akira have been identified. According to a recent analysis by The DFIR Report, attackers are deploying the well-known Bumblebee malware loader, disguised as legitimate MSI installers.

One analyzed case showed how SEO poisoning techniques were used to rank a malicious site in Bing search results. In that scenario, users searching for “ManageEngine OpManager” were redirected to a fake site (opmanager[.]pro), where they downloaded an infected file thinking it was legitimate software.

Malicious Website That Launches an Akira Attack (Source: The DFIR Report)

Read more: How to detect and respond to a ransomware attack with TecnetProtect

How an Akira Attack Unfolds: From Bumblebee to Full Encryption

In the latest ransomware attacks linked to Akira, cybercriminals are using a highly structured and stealthy approach. It all begins with the Bumblebee malware loader, which is executed through a technique known as DLL side-loading.

Once it establishes communication with its command and control (C2) server, it downloads AdaptixC2, a tool designed to maintain persistent access to the compromised system. With the groundwork in place, the attackers begin internal network reconnaissance. During this phase, they:

1. Create privileged accounts to maintain control

2. Exfiltrate data using known tools like FileZilla

3. Establish remote access channels through RustDesk and SSH tunnels, ensuring they can return when needed

After approximately 44 hours, the attackers launch the final blow: the Akira ransomware payload, identified as locker.exe. This payload encrypts systems across all network domains, completely paralyzing the affected organization’s operations.

Recommendations to Protect Your IT Environment

While the situation around possible vulnerabilities in SonicWall VPNs remains under investigation, it's crucial that system administrators and security teams strengthen their defenses and stay alert to any activity related to Akira. Here are some key recommendations:

1. Monitor indicators of compromise (IOCs) shared by the cybersecurity community and respond proactively

2. Apply filters, blocks, and detection rules in your firewalls, EDR systems, and SIEM solutions

3. Avoid downloading software from unofficial sites or sponsored links—many attacks begin with trojanized installers

4. Always download tools from official sources or verified repositories to avoid falling victim to SEO poisoning campaigns

Protect Your Infrastructure with Advanced Solutions Like TecnetProtect

Having a comprehensive cyberprotection platform like TecnetProtect can make a significant difference against threats like Akira. This solution combines advanced backups with integrated cybersecurity—all from a centralized console. Its standout features include:

1. Real-time data backup and recovery, even at full image level

2. AI-powered ransomware protection that detects and blocks suspicious behavior before it impacts your systems

3. Endpoint security, including antivirus, antimalware, and web filtering

4. Unified management, either in the cloud or on-premises—ideal for IT teams managing multiple devices and locations

5. Support for hybrid and virtualized environments, including Microsoft 365, Google Workspace, VMware, and more

Implementing a solution like TecnetProtect helps you not only respond quickly to an attack but also recover without data loss or extended downtime