Warning: Ransomware Is Now Using Legitimate Tools to Disable Your Antivirus
Cybercriminals are constantly evolving their tactics, and a recent development from the notorious Akira ransomware group highlights a particularly dangerous new trend. Attackers are no longer just relying on custom-built malware to breach defenses; they are now turning legitimate, trusted software against you to disable critical security tools like Microsoft Defender.
In a sophisticated new attack vector, the Akira ransomware group is exploiting a legitimate driver associated with the popular MSI Afterburner CPU tuning utility. By leveraging this trusted component, they can effectively blindside your system’s primary defenses, paving the way for a full-scale ransomware attack.
How a Trusted Tool Becomes a Weapon
The core of this attack lies in a technique known as “Bring Your Own Vulnerable Driver” (BYOVD). Here’s how it works:
- Gaining Initial Access: First, the attackers gain a foothold in the target network through common methods like phishing, exploiting unpatched vulnerabilities, or using stolen credentials.
- Abusing a Legitimate Driver: Instead of dropping a malicious file that an antivirus might detect, the attackers introduce a vulnerable but legitimately signed driver. In this case, it’s the
rtcore64.sysdriver from MSI Afterburner. Because this driver is digitally signed by a reputable vendor, the operating system trusts it implicitly. - Achieving Kernel-Level Power: This trusted driver has deep, kernel-level access to the system. This level of privilege is far greater than a standard user or application has, allowing it to interact with and terminate core system processes.
- Disabling Security Software: The attackers then use the driver’s power to terminate over 100 different processes associated with security software, including Microsoft Defender. By shutting down the very tools designed to protect the system, the ransomware can then execute its primary function—encrypting files—without triggering any alarms.
This is a classic “Living off the Land” strategy, where attackers use tools already present or trusted on the system to carry out their objectives. This makes their activity extremely difficult to detect, as it can be mistaken for normal system operations.
Why This Method is So Effective
The genius of this attack is its stealth. Traditional antivirus solutions are excellent at spotting known malicious files or suspicious unsigned code. However, when the malicious commands are being executed by a legitimate, signed driver, security software can be bypassed entirely.
The primary threat is the exploitation of kernel-level privileges. Once an attacker gains this level of access, they essentially have complete control over the machine. They can disable endpoint protection, delete backups, and exfiltrate data before deploying the final ransomware payload.
Actionable Steps to Protect Your Systems
Defending against BYOVD attacks requires a more proactive and behavior-focused security posture. Simply relying on traditional antivirus is no longer enough. Here are crucial steps every organization should take:
- Audit Your Software and Drivers: Regularly inventory the software and drivers installed on your endpoints, especially on critical servers. Remove any non-essential tools, such as performance tuning utilities, that could present an unnecessary security risk.
- Implement Robust Endpoint Detection and Response (EDR): An EDR solution is designed to monitor system behavior, not just files. It can flag suspicious activities, such as a hardware utility attempting to terminate security processes, and alert administrators or automatically block the action.
- Enable Attack Surface Reduction (ASR) Rules: For organizations using Microsoft Defender for Endpoint, activate ASR rules designed to block driver abuse. Specifically, the “Block abuse of exploited vulnerable signed drivers” rule is a direct countermeasure to this type of attack.
- Enforce the Principle of Least Privilege: Ensure that users and applications only have the permissions necessary to perform their intended functions. This can limit an attacker’s ability to deploy tools or escalate privileges even if they gain initial access.
- Maintain a Strong Patching Cadence: While this specific attack uses a non-malicious driver, keeping all systems, software, and drivers updated is critical to close other potential vulnerabilities that attackers could use for initial entry.
The line between legitimate system tools and malicious weapons is becoming increasingly blurred. The Akira ransomware group’s latest technique is a stark reminder that cyber threats are constantly adapting. A modern security strategy must move beyond simple file scanning and embrace a defense-in-depth approach focused on monitoring behavior, reducing the attack surface, and actively hunting for threats.
Source: https://www.bleepingcomputer.com/news/security/akira-ransomware-abuses-cpu-tuning-tool-to-disable-microsoft-defender/
