In the shadowy world of cybercrime, ransomware groups like Akira are continually innovating to outpace defenders, and their latest tactics reveal a sophisticated blend of exploitation and evasion. Affiliates of the Akira ransomware operation have been observed abusing legitimate Windows drivers to disable antivirus and endpoint detection and response (EDR) systems, allowing them to infiltrate networks via vulnerabilities in SonicWall appliances. This approach, detailed in a recent report by cybersecurity firm GuidePoint Security, marks a significant escalation in the group’s methods, combining zero-day exploits with “bring your own vulnerable driver” (BYOVD) techniques.

The campaign, which unfolded from late July into early August 2025, targeted SonicWall’s Secure Mobile Access (SMA) 100 series appliances, particularly those running firmware versions 12.4.2 and 12.4.3. Attackers exploited what appears to be an unpatched zero-day vulnerability in these devices, gaining initial access through SSL VPN services. Once inside, they deployed vulnerable drivers such as rwdrv.sys from Realtek and hlpdrv.sys from HWInfo to achieve kernel-level privileges, effectively bypassing security tools like Microsoft Defender.

This BYOVD strategy isn’t entirely novel, but its application in conjunction with hardware-specific exploits sets a new benchmark for ransomware sophistication, forcing organizations to rethink driver management and firmware patching protocols amid rising threats.

GuidePoint’s analysis, as reported in CSO Online, highlights how these drivers, originally designed for hardware monitoring and diagnostics, are being weaponized. By loading them into the kernel, attackers terminate critical processes associated with EDR solutions, rendering them blind to subsequent malicious activities like data exfiltration and encryption. This tactic echoes previous BYOVD campaigns but is uniquely tied to SonicWall’s ecosystem, where even fully patched devices have fallen victim, suggesting a deeper flaw that SonicWall is urgently investigating.

Further insights from The Hacker News indicate that the zero-day exploit allows remote code execution without authentication, amplifying the risk for organizations relying on these VPN gateways. Posts on X from cybersecurity experts, including alerts from The Hacker News and researchers like Zeeshan Khan, underscore the urgency, noting that Akira’s use of these drivers enables persistence in hardened environments, with campaigns peaking in recent weeks.

As ransomware actors pivot to kernel-level manipulations, the integration of legitimate software components into attack chains complicates detection, urging a shift toward proactive vulnerability scanning and restricted driver loading in enterprise settings.

The broader implications extend beyond SonicWall users. According to Cybersecurity News, this evolution in Akira’s playbook aligns with a surge in ransomware activity, where affiliates exploit trusted tools to evade scrutiny. For instance, the ThrottleStop driver has also been abused in similar BYOVD attacks to sideline Microsoft Defender, as detailed in reports from WebProNews. Industry insiders warn that without enhanced kernel protections, such as those Microsoft is developing, these methods could proliferate.

SonicWall has responded by advising customers to restrict VPN access and enable multi-factor authentication, but the persistence of these attacks—evident in X discussions from accounts like BleepingComputer—highlights gaps in current defenses. GuidePoint’s GRITREP, published on their site, recommends auditing for these specific drivers and monitoring for anomalous kernel activity to mitigate risks.

With Akira’s affiliates demonstrating adaptability by chaining exploits with evasion tactics, cybersecurity teams must prioritize layered defenses, including regular firmware updates and behavioral analytics, to counter the growing convergence of hardware vulnerabilities and software abuse.

Experts predict this trend will influence future regulations, potentially mandating stricter driver certification processes. As one cybersecurity analyst noted in an X post, the combination of zero-days and BYOVD represents a “concerning evolution,” pushing vendors like SonicWall to accelerate patch cycles. For now, organizations are left scrambling, with recent news from GBHackers emphasizing the need for immediate action against these stealthy incursions.

In wrapping up this deep dive, it’s clear that Akira’s tactics are reshaping enterprise security priorities. By leveraging everyday drivers against high-value targets, the group exemplifies how cybercriminals are blurring lines between legitimate and malicious code, demanding a more vigilant and integrated approach to threat hunting.