Hackers can bypass Microsoft Defender to install ransomware on PCs

From PC World: In a report published by security company GuidePoint Security, they’ve issued a warning that hackers can effectively bypass Microsoft Defender to install and deploy Akira ransomware.

This is done by exploiting a vulnerable driver called rwdrv.sys, which is a legitimate driver used by an Intel CPU tuning tool called ThrottleStop. By exploiting this driver, a hacker can gain kernel-level access to the PC.

With kernel-level access, the hacker can then load their own malicious driver—in this case, hlpdrv.sys, which modifies the Windows Registry and causes Microsoft Defender to disable its protective measures.

This two-punch approach has been flagged by GuidePoint Security as the deployment method for Akira ransomware attacks, which have been ongoing since July of this year.

View: Full Article