Akira ransomware abuses CPU tuning tool to disable Microsoft Defender
What’s new: Akira ransomware is exploiting the Intel CPU tuning driver ‘rwdrv.sys’ to disable Microsoft Defender in targeted attacks. This method involves a ‘Bring Your Own Vulnerable Driver’ (BYOVD) technique, allowing attackers to gain kernel-level access and manipulate Windows Defender settings. The tactic has been observed since July 15, 2025, prompting security researchers to provide YARA rules and indicators of compromise (IoCs) for detection.
Who’s affected
Organizations using Microsoft Defender and those with SonicWall VPNs may be at risk, especially if they have not implemented recommended security measures. The Akira ransomware has been linked to attacks exploiting potential vulnerabilities in SonicWall SSLVPNs.
What to do
- Disable or restrict SSLVPN access on SonicWall devices.
- Enforce multi-factor authentication (MFA) for all remote access.
- Enable Botnet/Geo-IP protection and remove unused accounts.
- Monitor for Akira-related activity and apply filters as new indicators emerge.
- Only download software from official sites to avoid trojanized installers.
