Hackers Use Intel Driver to Disable Microsoft Defender in Akira Ransomware Attacks

Hackers behind the Akira ransomware now use a legitimate Intel CPU tuning driver to disable Microsoft Defender and bypass system protections.

According to GuidePoint Security and a report by Bleeping Computer, attackers load the Intel driver rwdrv.sys, used by the ThrottleStop utility, and register it as a system service. It gives them kernel-level access. They then use it to load a second, malicious driver called hlpdrv.sys.

Once executed, the malicious driver modifies Microsoft Defender settings through the Windows Registry. It runs regedit.exe to change the DisableAntiSpyware value, effectively turning off key security features.

This method uses a known tactic called Bring Your Own Vulnerable Driver (BYOVD). Attackers use legitimate drivers that are digitally signed but have known security flaws to gain higher access and turn off protections during their attacks. 

Researchers found this method lets attackers get around security measures without setting off regular antivirus alerts. When you turn off Defender, ransomware can move around the system without restriction. GuidePoint Security released YARA rules, indicators of compromise (IoCs), file paths, and service names to help organizations detect and block this activity. They advise system administrators to:

• Monitor for Akira-related behavior.
• Apply filters based on known indicators.
• Block execution of untrusted drivers
• Download software from a verified source.s

Researchers have warned that attackers increasingly spread malware through fake websites that pretend to be legitimate tools.

This attack was found early, and a fix is already available. This incident shows how hackers continue to use trusted software to disable security measures.