The campaign, observed from late July through early August 2025, represents a concerning evolution in ransomware tactics that combines zero-day exploitation with Bring Your Own Vulnerable Driver (BYOVD) techniques.
Multiple security vendors have reported active exploitation of SonicWall VPN infrastructure, with organizations including Huntress, Arctic Wolf, and Truesec documenting increased Akira ransomware activity targeting these devices.
While SonicWall has acknowledged the reports, no specific vulnerability has been officially disclosed, leading researchers to suspect an unreported zero-day exploit is being used for initial access.
The threat actors gain initial access through compromised SonicWall SSL VPN services before deploying two specific Windows drivers to maintain persistence and evade security controls.
SonicWall has recommended immediate defensive measures, including disabling SSL VPN services where practical, implementing multi-factor authentication, and enabling botnet protection with geo-IP filtering.
Researchers identified two critical drivers in the attack chain: rwdrv.sys and hlpdrv.sys.
The first, rwdrv.sys, is a legitimate driver from the ThrottleStop utility used for Intel CPU performance tuning, which attackers register as a service to gain kernel-level access.
The malicious hlpdrv.sys driver (SHA256: bd1f381e5a3db22e88776b7873d4d2835e9a1ec620571d2b1da0c58f81c84a56) specifically targets Windows Defender by modifying the DisableAntiSpyware registry settings through regedit.exe execution.
GuidePoint Security has released a comprehensive YARA rule for detecting the hlpdrv.sys driver, which validates PE file structure, imports from ntoskrnl.exe, and specific artifact strings including device names like \Device\KMHLPDRV.
The rule requires at least seven of nine specific import functions and three unique artifact strings for accurate detection.
Organizations should immediately implement the recommended SonicWall hardening measures and deploy the provided YARA signatures for proactive threat hunting, as these drivers have been observed across multiple recent Akira ransomware incidents.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates
The post Akira Ransomware Uses Windows Drivers to Evade AV/EDR in SonicWall Attacks appeared first on Cyber Security News.
In a major escalation of supply chain attacks, the GlassWorm malware campaign has evolved to…
A single shot protected mice from the protein gunk implicated in Alzheimer’s disease. Alzheimer’s disease…
If you have an interest in video and movie making then you are going to…
If you want to become a DJ or love mixing sounds then this music mixer…
If you are into brands and love solving quizzes then this logo quiz is an…
Artificial intelligence is increasingly positioned as a key enabler of renewable energy adoption. From wind…
This website uses cookies.