Hackers discover a bypass method for Microsoft Defender, enabling ransomware installation on personal computers, according to a recent report.
In recent developments, cybercriminals have been exploiting a legitimate PC driver, rwdrv.sys, used for tuning software for Intel CPUs, to install a malicious driver, hlpdrv.sys, which shuts off Windows Defender, allowing hackers to perform various malicious activities such as installing ransomware like Akira.
As of the publication, this exploit used in these attacks has not been patched, making it crucial for Windows users to take proactive measures to secure their PCs.
Here are some steps users can follow to protect their Windows PCs from Akira ransomware:
- Keep all software updated: Regularly update Windows, security software, and drivers to minimize exposure to known vulnerabilities and exploit attempts. SonicWall firewall appliance users should apply all security patches promptly to fix exploited zero-days.
- Monitor for suspicious activity: Be on the lookout for suspicious VPN logins, creation of hidden users, registry modifications, or the presence of unusual drivers like the malicious hlpdrv.sys.
- Restrict or disable risky services: If not necessary, restrict VPN access to trusted IP addresses to reduce chances of initial compromise via vulnerable VPN infrastructure or stolen credentials.
- Implement multi-factor authentication (MFA): Where possible, secure remote access accounts with MFA to add an extra layer of protection.
- Use endpoint detection tools capable of detecting driver abuse: Apply YARA threat hunting rules provided by security researchers targeting the malicious hlpdrv.sys driver used by Akira.
- Avoid downloading software or drivers from untrusted sources: Prevent accidental installation of vulnerable or malicious drivers.
- Regularly audit system registry and services: Check for unexpected changes to Defender settings or new suspicious services.
- Ensure adequate backup and recovery plans: Ransomware infections can encrypt files quickly after gaining access, so it's essential to have a robust backup and recovery plan in place.
By combining vigilant monitoring, strict access controls (including VPN restrictions and MFA), regular patching, and specialized hunting for malicious driver activity, users and organizations can reduce the risk from Akira ransomware attacks that abuse legitimate drivers to disable Windows Defender.
For more information on the latest Akira ransomware attacks and possible defenses, visit GuidePoint Security. It is not specified whether Microsoft is aware of this exploit and is working on a fix for it. The report on this issue was published by GuidePoint Security and was reported by BleepingComputer.
Remember, the more people are aware of the exploit, the less likely it is to work against them. Stay vigilant and protect your PC.
- To bolster cybersecurity, it's pivotal for users to stay current with technology updates, particularly those related to Google's AI and cybersecurity advancements, as these updates could potentially include shields against such malicious activities.
- Incorporating advanced tech tools, such as endpoint detection systems designed to identify driver abuse, could serve as a valuable addition to a comprehensive security strategy against the likes of Akira ransomware.
