GuidePoint Security warns of a new attack method with Akira ransomware.
A report from security company GuidePoint Security, which PCWorld was able to review, reveals that hackers can disable Microsoft Defender by exploiting a vulnerable driver, rwdrv.sys. This driver is used for the Intel CPU-tuning tool ThrottleStop. Through this driver, attackers gain access to the system’s kernel.
Injecting Own Driver
With these elevated privileges, criminals can load their own malicious driver, in this case hlpdrv.sys. This modifies the Windows registry and disables essential protection features of Microsoft Defender. Then the Akira ransomware can be installed and executed.
According to GuidePoint Security, this method has been used in Akira campaigns since July. It involves a targeted “two-point attack” where first the vulnerable driver is exploited and then the security is disabled.
Protection
Users are advised to use reliable antivirus software and always keep Windows and security packages up to date. Regular updates ensure that new malware variants are recognized and blocked more quickly.