Akira Ransomware Hits SonicWall VPNs, Deploys Drivers to Bypass Security

A new report by cybersecurity firm GuidePoint Security reveals a clever new method used by the Akira ransomware group to attack computer networks. Researchers found that following initial access into systems, the hackers have been using two specific software drivers to secretly disable security tools, a key step before deploying their ransomware.

The discovery by GuidePoint Security, shared with Hackread.com, is considered a high-priority finding because it has been observed repeatedly in recent attacks by Akira, which has been exploiting security flaws in SonicWall VPNs since late July. This new insight gives companies a better chance to find and stop these attacks before they can cause major damage. The hacking group’s activity has been traced back to at least July 15, 2025.

How Hackers Are Sneaking Past Defences

The report explains how hackers gain entry by exploiting vulnerabilities in SonicWall VPNs. Once inside, they use two drivers, which are small software programs that help a computer’s hardware and software communicate.

One of the drivers, named rwdrv.sys, is actually a legitimate file from a performance tool for Intel CPUs, but hackers are misusing it to gain powerful, kernel-level access to the affected device. This gives them deep control over the computer’s operations.

The second driver, hlpdrv.sys, is malicious. Its job is to specifically target and disable Windows Defender, the built-in antivirus software. By using these two drivers in a specific order, the attackers can effectively blind a system’s security software, clearing the way to launch their ransomware.

A History of Attacks on Businesses

This new campaign is not Akira’s first time targeting corporate networks through security vulnerabilities. In August 2023, the group was identified as exploiting weaknesses in Cisco VPN products to gain unauthorised access and launch ransomware attacks.

More recently, in April 2025, Hackread.com also covered a new spam campaign from an AkiraBot, a tool that uses AI to create personalised spam messages for small businesses. These past campaigns show that Akira is a persistent and adaptable threat to a wide range of industries, from education and healthcare to manufacturing.

What Companies Should Do

GuidePoint Security is strongly advising security professionals to actively search for these two drivers on their systems. They have also provided a special rule, called a YARA rule, to help with this effort. It’s a tool that helps security teams scan their systems to find the unique patterns of these malicious drivers, allowing for quick detection.

Separately, SonicWall has issued its own advice for customers, recommending using multi-factor authentication (MFA) to make logging in more secure, limiting who can connect to the VPN, and making sure all security services are turned on.