Akira Ransomware Uses Windows Drivers to Bypass AV/EDR in SonicWall Attacks

Security researchers have identified a sophisticated new tactic employed by Akira ransomware operators, who are exploiting legitimate Windows drivers to evade antivirus and endpoint detection systems while targeting SonicWall VPN infrastructure.

This development represents a significant escalation in the group’s technical capabilities and poses serious challenges for enterprise cybersecurity defenses.

Campaign Overview and Timeline

From late July through early August 2025, multiple security vendors have documented a surge in Akira ransomware attacks targeting SonicWall VPNs.

The campaign has raised concerns about potential zero-day vulnerabilities in SonicWall’s SSL VPN infrastructure, though the company has acknowledged the reports without confirming specific vulnerabilities.

GuidePoint Security’s incident response teams have observed consistent patterns across multiple Akira cases, revealing the group’s systematic use of two specific Windows drivers as part of their attack methodology.

This represents a sophisticated “Bring Your Own Vulnerable Driver” (BYOVD) attack chain designed to achieve kernel-level access and disable security protections.

Technical Attack Methodology

The first driver, rwdrv.sys, originates from ThrottleStop, a legitimate Windows performance tuning utility for Intel processors.

Akira affiliates register this driver as a service to gain privileged kernel-level access to compromised systems.

This legitimate tool, typically used for CPU performance monitoring and throttling override, becomes a pathway for malicious activities when weaponized by threat actors.

The second component, hlpdrv.sys, serves as the primary evasion mechanism.

Once executed, this malicious driver directly modifies Windows Defender’s registry settings, specifically targeting the DisableAntiSpyware configuration within the Windows Defender policies registry hive.

The malware accomplishes this through automated execution of regedit.exe commands, effectively neutralizing one of Windows’ primary security mechanisms.

Security researchers believe the legitimate rwdrv.sys driver enables the execution of the malicious hlpdrv.sys driver, though the exact technical mechanism remains under investigation.

The malicious driver has been catalogued under SHA256 hash bd1f381e5a3db22e88776b7873d4d2835e9a1ec620571d2b1da0c58f81c84a56 across commercial malware repositories.

SonicWall has issued comprehensive security recommendations for organizations using their VPN infrastructure.

Critical measures include disabling SSLVPN services where feasible, restricting VPN connectivity to trusted IP addresses, implementing multi-factor authentication, and enabling advanced security features like botnet protection and geo-IP filtering.

The prevalence of these drivers across multiple Akira incidents has prompted security researchers to develop specialized YARA detection rules.

These signatures focus on the malicious hlpdrv.sys driver’s unique characteristics, including its PE structure, import functions, and embedded strings, enabling proactive threat hunting and incident response capabilities.

This campaign underscores the evolving sophistication of ransomware operations, where legitimate administrative tools become weapons in the hands of cybercriminals seeking to circumvent modern security architectures.

The Ultimate SOC-as-a-Service Pricing Guide for 2025– Download for Free