The Akira ransomware employs Windows drivers to evade antivirus and endpoint detection and response systems during attacks on SonicWall.

Akira Ransomware affiliates have recently employed sophisticated evasion techniques that exploit legitimate Windows drivers to bypass antivirus and endpoint detection and response (EDR) systems during SonicWall VPN attack campaigns. These attacks, which escalated from late July through early August 2025, highlight the evolving tactics of threat actors aiming to maintain persistence and avoid detection in compromised environments. Notably, Akira utilises two specific Windows drivers in a Bring Your Own Vulnerable Driver (BYOVD) attack methodology. The first driver, Rwdrv.sys, is a legitimate component of ThrottleStop, a Windows performance tuning utility for Intel CPUs. By registering this driver as a service, threat actors gain kernel-level access to compromised systems. The second driver, Hlpdrv.sys, directly targets Windows Defender, modifying registry settings to disable anti-spyware protections.

The driver-based evasion techniques have been consistently observed across multiple Akira ransomware incident response cases linked to SonicWall VPN exploitation. Although the exact vulnerability remains undisclosed, SonicWall has acknowledged the threat and issued emergency recommendations. These include disabling SSLVPN services where feasible, implementing multi-factor authentication (MFA), and enabling Botnet protection with Geo-IP filtering. Security teams can detect these threats using YARA rules that identify the malicious Hlpdrv.sys driver based on its PE file structure and specific imports from Ntoskrnl.exe. Organisations are advised to prioritise hunting for these indicators while implementing SonicWall’s recommended hardening measures to prevent initial access.