Akira ransomware abuses CPU tuning tool to disable Microsoft Defender

Akira ransomware is abusing a legitimate Intel CPU tuning driver to turn off Microsoft Defender in attacks from security tools and EDRs running on target machines.

The abused driver is 'rwdrv.sys' (used by ThrottleStop), which the threat actors register as a service to gain kernel-level access.

This driver is likely used to load a second driver, 'hlpdrv.sys,' a malicious tool that manipulates Windows Defender to turn off its protections.

This is a 'Bring Your Own Vulnerable Driver' (BYOVD) attack, where threat actors use legitimate signed drivers that have known vulnerabilities or weaknesses that can be abused to achieve privilege escalation. This driver is then used to load a malicious tool that disables Microsoft Defender.

"The second driver, hlpdrv.sys, is similarly registered as a