GuidePoint Security's latest report reveals a sophisticated Akira ransomware campaign exploiting SonicWall VPNs through the strategic use of malicious Windows drivers. The campaign, which began in late July 2025, represents a significant escalation in the group's tactics for evading security controls.
From late July through early August 2025, multiple security vendors reported a surge in Akira ransomware deployments following SonicWall VPN exploitation. While the underlying cause remains disputed—potentially involving a zero-day vulnerability—SonicWall has acknowledged the activity but hasn't disclosed specific vulnerability details.
Key technical findings
GuidePoint's incident response teams identified two drivers consistently used by Akira affiliates in a Bring Your Own Vulnerable Driver (BYOVD) attack chain:
Primary Driver - rwdrv.sys: This legitimate driver from ThrottleStop, a Windows performance monitoring utility for Intel CPUs, is being weaponized by attackers. Once registered as a service, it provides kernel-level access to compromised systems, essentially giving attackers the highest privileges possible on Windows machines.
Secondary Driver - hlpdrv.sys: This malicious driver specifically targets Windows Defender by modifying the DisableAntiSpyware registry settings through automated registry edits. The driver's hash has been identified in commercial malware repositories.
The researchers suspect the legitimate rwdrv.sys driver enables execution of the malicious hlpdrv.sys driver, though the exact mechanism remains unclear.
Detection and response
GuidePoint has developed a comprehensive YARA rule to detect the malicious hlpdrv.sys driver based on its PE structure, imports, and associated strings. The rule validates specific characteristics including section layouts, import functions from ntoskrnl.exe, and unique artifact strings.
The report provides critical Indicators of Compromise (IOCs), including file paths typically found in Users$$REDACTED]\AppData\Local\Temp\ and service registrations under names "mgdsrv" and "KMHLPSVC".
Mitigation tips
SonicWall has issued specific hardening recommendations for organizations using their VPN solutions:
- Disable SSLVPN services where operationally feasible.
- Restrict SSLVPN connectivity to trusted source IP addresses only.
- Enable comprehensive security features including Botnet protection and Geo-IP filtering.
- Enforce multi-factor authentication (MFA) for all VPN access.
- Remove unused accounts and maintain strict password hygiene practices.
This campaign highlights Akira's evolution toward more sophisticated anti-detection techniques, moving beyond simple encryption to actively disabling endpoint security solutions. The consistent use of these drivers across multiple incident response cases makes them high-fidelity indicators for both proactive threat hunting and forensic analysis.
The report emphasizes that defenders should prioritize log review and YARA rule deployment to identify pre-ransomware activity, potentially enabling intervention before full system compromise occurs.