A recent cybersecurity report reveals that Microsoft Defender, Windows’ built-in security tool, is facing a serious bypass vulnerability that allows ransomware infections to slip through undetected.

According to GuidePoint Security (via BleepingComputer), threat actors behind the Akira ransomware strain have discovered a way to exploit a legitimate Windows driver to disable Defender and gain control over compromised systems.

The attack leverages rwdrv.sys, a legitimate driver used in Intel CPU tuning software, as an entry point. Once exploited, attackers install a malicious driver called hlpdrv.sys, which is specifically designed to shut down Windows Defender. With the security barrier removed, ransomware can be deployed freely, encrypting files and causing significant disruption.

GuidePoint notes that this attack method was first observed in mid-July and, as of now, there is no confirmed patch to address the exploit. The researchers warn that while the flaw remains unpatched, awareness is a critical defense — the more organizations know about this tactic, the better prepared they can be to mitigate risks.

Security experts recommend supplementing Microsoft Defender with reputable third-party antivirus solutions and implementing layered security strategies to reduce exposure. Organizations should also monitor for signs of driver tampering and restrict administrative privileges to minimize the impact of such attacks.

For more technical details on the exploit and defense strategies against Akira ransomware, GuidePoint Security provides a comprehensive breakdown in their full report.

Source: https://mashable.com/article/microsoft-defender-hack-akira-ransomware-pc-windows