Particle.news

Download on the App Store

GuidePoint Exposes Akira Ransomware’s Dual-Driver Attack on SonicWall SSLVPNs

GuidePoint published detection signatures after mapping how Akira hijacks a legitimate Intel driver to load a malicious module that shuts off endpoint defenses

Image
Akira Ransomware Hits SonicWall VPNs, Deploys Drivers to Bypass Security
Image

Overview

  • Researchers identified a BYOVD tactic that uses the legitimate Intel CPU tuning driver rwdrv.sys for kernel access followed by a custom hlpdrv.sys module to disable Windows Defender policies
  • The dual-driver sequence has featured in multiple Akira intrusions since July 15, 2025, with initial access gained through SonicWall SSLVPN vulnerabilities
  • GuidePoint released YARA rules and indicators of compromise for both rwdrv.sys and hlpdrv.sys to enable proactive detection and retrospective threat hunting
  • SonicWall updated guidance urging customers to restrict SSLVPN use, enforce multi-factor authentication, remove unused accounts and enable Botnet/Geo-IP protection
  • Analyses show Akira’s broader kill chain employs the Bumblebee loader, data exfiltration tools and deploys its locker.exe ransomware payload roughly 44 hours after breach