Hackers Can Disable Windows Defender: Urgent Warning for Texas Businesses

Cybercriminals are exploiting a new Windows Defender vulnerability that lets them disable antivirus protection using legitimate system drivers. For Texas SMBs, this underscores the need to move beyond built-in security. Falling behind means risking ransomware, data loss, and operational downtime.

Hackers Can Disable Windows Defender: What Texas Businesses Need to Know

What This Windows Defender Vulnerability Means

In recent weeks, the Akira ransomware group has used a “Bring Your Own Vulnerable Driver” (BYOVD) attack. This attack disables Microsoft Defender Antivirus without detection. They employ a legitimate Intel CPU tuning driver—rwdrv.sys—alongside a malicious companion driver (hlpdrv.sys) that quietly alters registry settings to switch off Defender’s protections. This method sidesteps many security tools and has been observed in active ransomware campaigns since mid-July 2025.


Why Texas SMBs Are at Heightened Risk

  1. False Sense of Security – Businesses relying only on Windows Defender are becoming easy targets.
  2. Limited IT Resources – Without continuous monitoring, this vulnerability may go undetected for longer.
  3. Attractive Targets – SMBs often handle sensitive data, making them lucrative ransomware victims.

How to Protect Your Business Immediately

To guard against this emerging threat, Texas SMBs should:

  1. Implement Multi-Layered Security
    Use EDR, firewalls, email filtering, plus network monitoring, not just AV.
  2. Deploy Hardened Endpoint Defense
    Choose tools that resist tampering, such as managed EDR solutions.
  3. Engage a Managed IT Security Partner
    MSPs like SofTouch Systems offer 24/7 monitoring and proactive protection that goes beyond default defenses.
  4. Ensure Regular, Secure Backups
    Secure offsite backups are your lifeline if ransomware hits.
  5. Train Your Teams
    Equip staff to recognize phishing lures and avoid unsafe downloads.

Case in Point: Akira Ransomware Attack

Security researchers confirm that the Akira ransomware group has actively deployed this BYOVD technique since mid‑July 2025. They’ve exploited the legitimate rwdrv.sys driver (part of ThrottleStop) to gain system-level access, then used hlpdrv.sys, a malicious driver, to disable Defender via registry manipulation. This method has been observed in live ransomware campaigns. It was not just theoretical tests. This highlights the serious and ongoing nature of the threat.


How SofTouch Systems Shields Your Business

At SofTouch Systems, we equip Texas SMBs with resilient, enterprise-grade protections at SMB-friendly rates:

  • Managed EDR & Antivirus that can’t be tampered with.
  • 24/7 Endpoint & Network Monitoring to detect and halt threats fast.
  • Secure Backup & Recovery plans, regularly tested for effectiveness.
  • Employee Security Training that strengthens your human firewall.

Don’t rely solely on Defender, let us help you build defenses that adapt and respond.

Hidden Threats Lurking in Café Wi-Fi: Protect Your Data Before They Catch You

Subscribe to continue reading

Subscribe to get access to the rest of this post and other subscriber-only content.