VERY IMPORTANT

Akira affiliates have been observed exploiting two common drivers as part of a suspected AV/EDR evasion effort following initial access involving SonicWall abuse. The drivers, rwdrv.sys and hlpdrv.sys, are being used to facilitate AV/EDR evasion or disablement through a Bring Your Own Vulnerable Driver (BYOVD) exploitation chain. This behavior has been prevalent in recent Akira ransomware incident response cases. The campaign may be driven by an unreported zero-day vulnerability in SonicWall VPNs. Defenders are advised to harden SonicWall VPNs, implement recommended mitigations, and use provided YARA rules for detection and response to pre-ransomware activity.