Akira Ransomware Uses Windows Drivers to Bypass AV/EDR in SonicWall Attacks

Threat Score:
67
7 articles
100.0% similarity
3 days ago

Article Timeline

7 articles
Click to navigate
Aug 06
Aug 06
Aug 06
Aug 06
Aug 06
Aug 07
Aug 07
Oldest
Latest

Key Insights

1
Threat actors are exploiting legitimate drivers, specifically ThrottleStop.sys, to disable antivirus protections and facilitate ransomware deployments, with attacks observed since October 2024.
2
The Akira ransomware group is employing sophisticated tactics, using legitimate Windows drivers to bypass antivirus and endpoint detection systems, significantly raising the stakes for enterprise cybersecurity.
3
Initial access for these attacks often occurs through compromised RDP credentials, highlighting the risks associated with weak password policies and exposed remote access points.
4
Kaspersky detected the malicious software, Win64.KillAV, which terminates antivirus processes, allowing ransomware such as the MedusaLocker variant to encrypt files without detection.
5
GuidePoint Security reported a notable increase in Akira ransomware attacks from late July through early August 2025, targeting SonicWall VPN infrastructure and potentially exploiting zero-day vulnerabilities.
6
The exploitation of legitimate drivers as part of a Bring Your Own Vulnerable Driver (BYOVD) attack chain represents a significant evolution in ransomware tactics, complicating detection and response efforts.

Threat Overview

In a concerning trend, cybersecurity researchers have identified a series of sophisticated attacks leveraging legitimate Windows drivers to disable antivirus software and facilitate ransomware deployment. Since October 2024, threat actors have been using the ThrottleStop.sys driver to execute a Bring Your Own Vulnerable Driver (BYOVD) tactic, effectively allowing them to bypass security protections. According to Kaspersky, the malware involved, identified as Win64.KillAV, systematically terminates antivirus processes, paving the way for ransomware variants such as MedusaLocker to operate undetected. Initial access in these incidents has frequently been attributed to compromised Remote Desktop Protocol (RDP) credentials, particularly in cases stemming from Belgium, where weak password policies and exposed remote access were exploited.

The Akira ransomware group has been particularly active in recent months, with a surge of attacks reported from late July through early August 2025, targeting SonicWall VPN infrastructure. GuidePoint Security noted that this escalation may involve the exploitation of zero-day vulnerabilities in SonicWall's SSL VPN systems, although specific vulnerabilities have not yet been confirmed by the company. Jason Baker, a threat intelligence consultant at GuidePoint, stated, "We have observed Akira affiliates exploiting two common drivers as part of a suspected AV/EDR evasion effort following initial access involving SonicWall abuse."

The attack methodology includes registering the ThrottleStop.sys driver as a service to gain kernel-level access, which allows the installation of additional malicious components, including hlpdrv.sys, that directly manipulate Windows Defender settings. This tactic was highlighted by researchers who noted that the malware modifies registry settings to disable security features entirely, thus granting attackers unchecked access to the target systems.

In response to these developments, security vendors are emphasizing the need for proactive detection and remediation strategies. SonicWall has advised customers to disable SSLVPN temporarily, a significant recommendation given the reliance on this service for secure remote access. Meanwhile, Kaspersky's products, which include self-defense mechanisms, have proven effective against some of these tactics, although the evolving nature of these attacks presents ongoing challenges.

Experts recommend that organizations enforce strong password policies and implement multi-factor authentication to mitigate the risks associated with RDP exposure. Additionally, regular updates and patches to antivirus systems and a comprehensive monitoring strategy are crucial to defend against these advanced threats.

Tactics, Techniques & Procedures (TTPs)

T1068
Exploitation of Elevation of Privilege - Attackers exploit valid drivers to gain kernel-level access and disable antivirus protections [1][5]
T1086
PowerShell - Lateral movement through PowerShell tools such as Invoke-WMIExec.ps1 and Invoke-SMBExec.ps1 [1][2]
T1559
External Remote Services - Initial access through compromised RDP credentials leading to further exploitation [4][6]
T1562
Impair Defenses - Use of legitimate drivers to disable antivirus and endpoint detection systems [3][4]
T1021
Remote Services - Exploiting RDP for lateral movement and initial access [2][5]
T1203
Exploitation for Client Execution - Utilizing legitimate drivers to execute malicious payloads without detection [7]
T1071
Application Layer Protocol - Communication with command and control servers to facilitate ransomware deployment [2][3]

Timeline of Events

2024-10
Initial discovery of the BYOVD tactic using ThrottleStop.sys in cyberattacks [1]
2025-07-15
Increase in Akira ransomware attacks targeting SonicWall VPNs reported by GuidePoint Security [6]
2025-08-06
Kaspersky identifies the Win64.KillAV malware and its effects on antivirus processes [1]
2025-08-07
SonicWall acknowledges rise in incidents involving their SSL VPNs and advises customers to disable the service [6]
2025-08-07
Researchers report ongoing exploitation of legitimate drivers in ransomware attacks [4][7]

Source Citations

expert_quotes: {'Kaspersky': 'Article 1', 'SonicWall': 'Article 6', 'GuidePoint Security': 'Article 6'}
primary_findings: {'BYOVD tactics': 'Articles 1, 2, 5', 'SonicWall vulnerabilities': 'Articles 2, 6', 'Ransomware deployment evidence': 'Articles 3, 4, 6'}
technical_details: {'Attack methods': 'Articles 1, 2, 3', 'Malware analysis': 'Articles 4, 5'}
Powered by ThreatCluster AI
Generated 1 day ago
AI analysis may contain inaccuracies

Related Articles

7 articles
1

Akira Ransomware Uses Windows Drivers to Bypass AV/EDR in SonicWall Attacks

Cybersecurity News 3 days ago

A sophisticated evasion technique employed by Akira ransomware affiliates, exploiting legitimate Windows drivers to bypass antivirus and endpoint detection and response (EDR) systems during recent SonicWall VPN attack campaigns.  The attacks, which have escalated from late July through early August 2025, demonstrate the threat actors’ evolving tactics to maintain persistence and avoid detection in compromised […]

Score
61
95.0% similarity
Read more
2

Akira Ransomware Uses Windows Drivers to Bypass AV/EDR in SonicWall Attacks

GB Hackers 3 days ago

Akira Ransomware Uses Windows Drivers to Bypass AV/EDR in SonicWall Attacks Security researchers have identified a sophisticated new tactic employed by Akira ransomware operators, who are exploiting legitimate Windows drivers to evade antivirus and endpoint detection systems while targeting SonicWall VPN infrastructure. This development represents a significant escalation in the group’s technical capabilities and poses serious challenges for enterprise cybersecurity defenses. Campaign Overview a

Score
55
98.0% similarity
Read more
3

Hackers Exploit Legitimate Drivers to Disable Antivirus and Weaken System Defenses

GB Hackers 2 days ago

Hackers Exploit Legitimate Drivers to Disable Antivirus and Weaken System Defenses Threat actors have been deploying a novel antivirus (AV) killer since at least October 2024, leveraging the legitimate ThrottleStop.sys driver to execute Bring Your Own Vulnerable Driver (BYOVD) tactics. This malware, detected by Kaspersky as Win64.KillAV., systematically terminates AV processes, paving the way for ransomware deployment like theMedusaLockervariant (Trojan-Ransom.Win32.PaidMeme.). The incident bega

Score
54
100.0% similarity
Read more
4
Akira ransomware abuses CPU tuning tool to disable Microsoft Defender

Akira ransomware abuses CPU tuning tool to disable Microsoft Defender

BleepingComputer 3 days ago

Akira ransomware abuses CPU tuning tool to disable Microsoft Defender Bill Toulas August 6, 2025 04:15 PM 0 Akira ransomware is abusing a legitimate Intel CPU tuning driver to turn off Microsoft Defender in attacks from security tools and EDRs running on target machines. The abused driver is 'rwdrv.sys' (used by ThrottleStop), which the threat actors register as a service to gain kernel-level access. This driver is likely used to load a second driver, 'hlpdrv.sys,' a malicious tool that manipula

Score
53
100.0% similarity
Read more
5

Hackers Use Legitimate Drivers to Kill Antivirus Processes and Lower The System’s Defenses

Cybersecurity News 2 days ago

In a sophisticated campaign first observed in October 2024, attackers have begun leveraging a legitimate driver to disable antivirus software across compromised networks. By abusing the ThrottleStop.sys driver—originally designed by TechPowerUp to manage CPU throttling—the malware gains kernel‐level memory access to terminate security processes at will. Initial access is most often achieved through stolen RDP […]

Score
49
100.0% similarity
Read more
6
Driver of destruction: How a legitimate driver is being used to take down AV processes

Driver of destruction: How a legitimate driver is being used to take down AV processes

Kaspersky Securelist 3 days ago

Table of Contents Introduction Incident overview The AV killer analysis Calling kernel functions Process killer main routine YARA rule Victims Attribution Conclusion and recommendations Tactics, techniques and procedures Indicators of compromise Cristian Souza Ashley Muñoz Eduardo Ovalle Francesco Figurelli Anderson Leite Introduction In a recent incident response case in Brazil, we spotted intriguing new antivirus (AV) killer software that has been circulating in the wild since at least October

Score
48
86.0% similarity
Read more
7

Akira affiliates abuse legitimate Windows drivers to evade detection in SonicWall attacks

CSO Online 3 days ago

Threat researchers at GuidePoint Security have uncovered Akira affiliates abusing legitimate Windows drivers in a previously unreported tactic, even as the ransomware strain intensifies its targeting of SonicWall firewalls. According to GuidePoint’s threat intelligence consultant Jason Baker, Akira attackers were found hijacking two common Windows drivers as kernel-level tools to evade antivirus and EDR systems. “We have observed Akira affiliates exploiting two common drivers as part of a suspec

Score
47
94.0% similarity
Read more