Hackers can bypass Microsoft Defender to install ransomware on PCs
In a report published by security company GuidePoint Security, they’ve issued a warning that hackers can effectively bypass Microsoft Defender to install and deploy Akira ransomware.
This is done by exploiting a vulnerable driver called rwdrv.sys, which is a legitimate driver used by an Intel CPU tuning tool called ThrottleStop. By exploiting this driver, a hacker can gain kernel-level access to the PC.
With kernel-level access, the hacker can then load their own malicious driver—in this case, hlpdrv.sys, which modifies the Windows Registry and causes Microsoft Defender to disable its protective measures.
This two-punch approach has been flagged by GuidePoint Security as the deployment method for Akira ransomware attacks, which have been ongoing since July of this year.
To stay protected, make sure you’re using reputable antivirus software on your Windows PC and make sure to keep it up-to-date at all times. Regular updates help ensure that your system is defended against new malware definitions as they’re discovered and flagged.
This article originally appeared on our sister publication PC för Alla and was translated and localized from Swedish.
