Cybercriminals have discovered a method to bypass Microsoft Defender and successfully install ransomware onto personal computers, allegedly according to recent reports.
In a recent report, cybersecurity firm GuidePoint Security discovered a new method used by hackers to spread the Akira ransomware on Windows PCs. The attack exploits a legitimate PC driver called "rwdrv.sys," which is used for tuning software for Intel CPUs, to bypass Microsoft Defender's protection [1][3][5].
The attackers register the legitimate driver as a system service, enabling them to gain kernel-level access. They then load a second malicious driver, "hlpdrv.sys," which modifies Microsoft Defender's settings in the Windows Registry, specifically the DisableAntiSpyware value, effectively disabling Defender's protection [1][3][5].
This technique, known as Bring Your Own Vulnerable Driver (BYOVD), allows attackers to leverage trusted, digitally signed drivers with known vulnerabilities or weaker security controls to escalate privileges and disable security tools stealthily [1][3][5]. Because such drivers are legitimate and signed, this approach avoids triggering antivirus alerts.
Researchers from GuidePoint Security have been tracking this activity since mid-July 2025 and have published YARA detection rules, indicators of compromise, and recommendations for blocking untrusted drivers and monitoring suspicious activity [1][3][5]. However, the report does not specify the exact method hackers use to install the malicious drivers on Windows PCs.
The exploitation of this vulnerability allows Akira ransomware to spread widely by turning off real-time protection and antivirus without raising immediate alerts, thus effectively bypassing Microsoft Defender and other endpoint protection tools [1][4]. It is still unclear if this attack is widespread or if it primarily targets specific Windows users or systems.
Microsoft Defender is not foolproof against ransomware, and this attack underscores the need for additional security measures. While the loophole exploited by the hackers seems to remain unpatched, PCMag recommends some third-party antivirus software for Windows PCs [2].
For detailed information on the latest Akira ransomware attacks, including possible defenses, visit GuidePoint Security [1][3][5]. As awareness of this attack increases, it may become less effective. However, it is crucial for Windows users to stay vigilant and take necessary precautions to protect their PCs.
Sources:
- GuidePoint Security - Akira Ransomware
- PCMag - Best Antivirus Software for Windows
- BleepingComputer - GuidePoint Security Discovers a New Method Used by Akira Ransomware
- ZDNet - Akira ransomware: Hackers bypass Microsoft Defender to infect Windows PCs
- CyberScoop - GuidePoint: Akira ransomware uses Intel CPU driver to bypass Defender
- In light of the new Akira ransomware spreading technique discovered by GuidePoint Security, users should be wary of the Bring Your Own Vulnerable Driver (BYOVD) attack strategy exploiting legitimate, digitally signed drivers with known vulnerabilities.
- The latest tech news reports advise Windows users to consider implementing supplementary antivirus software, as Microsoft Defender may not of itself fully safeguard against the Akira ransomware, particularly since this latest attack method bypasses Defender's protection.
- Despite GuidePoint Security's tracking of the Akira ransomware activities since mid-July 2025, the exact methodology employed by attackers to install the malicious drivers on Windows PCs remains uncertain.
- As the cybersecurity landscape evolves with both AI and tech advancements, staying vigilant in the general news domain, especially crime and justice sectors, becomes increasingly important to keep abreast of potential threats like newly discovered ransomware attacks, such as Akira.
