The campaign, observed from late July through early August 2025, represents a concerning evolution in ransomware tactics that combines zero-day exploitation with Bring Your Own Vulnerable Driver (BYOVD) techniques.
Multiple security vendors have reported active exploitation of SonicWall VPN infrastructure, with organizations including Huntress, Arctic Wolf, and Truesec documenting increased Akira ransomware activity targeting these devices.
While SonicWall has acknowledged the reports, no specific vulnerability has been officially disclosed, leading researchers to suspect an unreported zero-day exploit is being used for initial access.
The threat actors gain initial access through compromised SonicWall SSL VPN services before deploying two specific Windows drivers to maintain persistence and evade security controls.
SonicWall has recommended immediate defensive measures, including disabling SSL VPN services where practical, implementing multi-factor authentication, and enabling botnet protection with geo-IP filtering.
Researchers identified two critical drivers in the attack chain: rwdrv.sys and hlpdrv.sys.
The first, rwdrv.sys, is a legitimate driver from the ThrottleStop utility used for Intel CPU performance tuning, which attackers register as a service to gain kernel-level access.
The malicious hlpdrv.sys driver (SHA256: bd1f381e5a3db22e88776b7873d4d2835e9a1ec620571d2b1da0c58f81c84a56) specifically targets Windows Defender by modifying the DisableAntiSpyware registry settings through regedit.exe execution.
GuidePoint Security has released a comprehensive YARA rule for detecting the hlpdrv.sys driver, which validates PE file structure, imports from ntoskrnl.exe, and specific artifact strings including device names like \Device\KMHLPDRV.
The rule requires at least seven of nine specific import functions and three unique artifact strings for accurate detection.
Organizations should immediately implement the recommended SonicWall hardening measures and deploy the provided YARA signatures for proactive threat hunting, as these drivers have been observed across multiple recent Akira ransomware incidents.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates
The post Akira Ransomware Uses Windows Drivers to Evade AV/EDR in SonicWall Attacks appeared first on Cyber Security News.
PhantomRPC, a newly identified architectural vulnerability in Windows Remote Procedure Call (RPC) that enables local…
The Cybersecurity and Infrastructure Security Agency (CISA) has issued a critical alert regarding two actively…
It seems a return to Star Wars could be in the cards for Gina Carano…
A new weekend has arrived, and today, you can save big on Apple AirTags, 4K…
Tension: We cling to life plans that stopped working years ago, unable to admit the…
Tension: We cling to life plans that stopped working years ago, unable to admit the…
This website uses cookies.