Observed Malicious Driver Use Associated with Akira SonicWall Campaign

Aug. 10, 2025, 7:36 p.m.

Description

Akira affiliates have been observed exploiting two common drivers as part of a suspected AV/EDR evasion effort following initial access involving SonicWall abuse. The drivers, rwdrv.sys and hlpdrv.sys, are being used to facilitate AV/EDR evasion or disablement through a Bring Your Own Vulnerable Driver (BYOVD) exploitation chain. This behavior has been prevalent in recent Akira ransomware incident response cases. The campaign may be driven by an unreported zero-day vulnerability in SonicWall VPNs. Defenders are advised to harden SonicWall VPNs, implement recommended mitigations, and use provided YARA rules for detection and response to pre-ransomware activity.

External References

https://www.guidepointsecurity.com/blog/gritrep-akira-sonicwall/
https://otx.alienvault.com/pulse/6895b04096ab14debd24e809
Tags
ransomware
zero-day
vpn
akira
byovd
drivers
sonicwall
2025-08-08
av/edr evasion

Date

  • Created: Aug. 8, 2025, 8:07 a.m.
  • Published: Aug. 8, 2025, 8:07 a.m.
  • Modified: Aug. 10, 2025, 7:36 p.m.

Indicators

  • bd1f381e5a3db22e88776b7873d4d2835e9a1ec620571d2b1da0c58f81c84a56
  • 16f83f056177c4ec24c7e99d01ca9d9d6713bd0497eeedb777a3ffefa99c97f0
Download all indicators here!

Attack Patterns

  • Akira
  • Akira