Skip to content

This devious ransomware is able to hijack your system to turn off Microsoft Defender

Posted by: GuidePoint Security

< 1 min read

August 7, 2025 – Published on TechRadar

Akira ransomware has dominated the headlines recently due to its abuse of SonicWall SSL VPNs to gain initial access and deploy an encryptor.

However, while initial access is important, it is still not enough to infect a device, especially if it’s protected by an antivirus, or an endpoint protection and response solution (EDR).

Now, security researchers from GuidePoint Security believe they have seen exactly how Akira disables security solutions, which allows them to drop the ransomware.

In a recent report, researchers from GuidePoint outlined how Akira is engaged in a bring-your-own-vulnerable-driver (BYOD) attack, using the initial access to drop two drivers, one of which is legitimate.

“The first driver, rwdrv.sys, is a legitimate driver for ThrottleStop. This Windows-based performance tuning and monitoring utility is primarily designed for Intel CPUs,” the researchers explained. “It is often used to override CPU throttling mechanisms, improve performance, and monitor processor behavior in real time.”

Read More HERE.

Categories: Incident Response & Threat Intelligence
Tags:GRIT®ransomware

GuidePoint Security

GRITREP: Observed Malicious Driver Use Associated with Akira SonicWall Campaign
Bottom-Line Up Front (BLUF): We have observed Akira affiliates exploiting two common drivers as part of a suspected AV/EDR evasion […]
View Page

Related Articles

View All

  • News
GRITREP: Observed Malicious Driver Use Associated with Akira SonicWall Campaign
Posted by: Jason Baker
Read More 3 min read
  • Incident Response & Threat Intelligence
Akira ransomware seeks to deactivate Microsoft Defender
Read More < 1 min read
  • Incident Response & Threat Intelligence
GRIT 2025 Q2 Ransomware & Cyber Threat Report
Read More < 1 min read