Akira Ransomware Uses Windows Drivers to Bypass AV/EDR in SonicWall Attacks

A sophisticated evasion technique employed by Akira ransomware affiliates, exploiting legitimate Windows drivers to bypass antivirus and endpoint detection and response (EDR) systems during recent SonicWall VPN attack campaigns. 

The attacks, which have escalated from late July through early August 2025, demonstrate the threat actors’ evolving tactics to maintain persistence and avoid detection in compromised environments.

Key Takeaways
1. Akira uses legitimate Windows drivers to bypass security controls.
2. Exploits undisclosed SonicWall VPN vulnerability for initial access.
3. Disable SSLVPN, enable MFA, hunt for malicious driver hashes.

Akira Ransomware Leverages Windows Drivers

According to GuidePoint Security reports, Akira ransomware operators are leveraging two specific Windows drivers in what security experts classify as a Bring Your Own Vulnerable Driver (BYOVD) attack methodology. 

The first driver, rwdrv.sys (SHA256: 16f83f056177c4ec24c7e99d01ca9d9d6713bd0497eeedb777a3ffefa99c97f0), is a legitimate component of ThrottleStop, a Windows performance tuning utility designed for Intel CPUs. 

Threat actors register this driver as a service to gain kernel-level access to compromised systems.

The second driver, hlpdrv.sys (SHA256: bd1f381e5a3db22e88776b7873d4d2835e9a1ec620571d2b1da0c58f81c84a56), serves a more malicious purpose by directly targeting Windows Defender. 

When executed, it modifies the DisableAntiSpyware registry settings within REGISTRYMACHINESOFTWAREPoliciesMicrosoftWindows DefenderDisableAntiSpyware through regedit.exe execution.

Both drivers are typically deployed to the path Users$$REDACTED]AppDataLocalTemp and registered as services named “mgdsrv” and “KMHLPSVC” respectively.

SonicWall VPN Targeting

The driver-based evasion techniques have been observed consistently across multiple Akira ransomware incident response cases connected to SonicWall VPN exploitation. 

While the exact vulnerability remains undisclosed, SonicWall has acknowledged the threat and issued emergency recommendations, including disabling SSLVPN services where practical, implementing multi-factor authentication (MFA), and enabling Botnet protection with Geo-IP filtering.

Security teams can detect these threats using YARA rules that identify the malicious hlpdrv.sys driver based on PE file structure, specific imports from ntoskrnl.exe including ZwSetSecurityObject and PsLookupProcessByProcessId, and artifact strings such as “\Device\KMHLPDRV” and “HlpDrv”. 

Organizations should prioritize hunting for these indicators while implementing SonicWall’s recommended hardening measures to prevent initial access.

Indicators Of Compromise (IOCs)

Equip your SOC with full access to the latest threat data from ANY.RUN TI Lookup that can Improve incident response -> Get 14-day Free Trial