Cybercriminals are exploiting a new Windows Defender vulnerability that lets them disable antivirus protection using legitimate system drivers. For Texas SMBs, this underscores the need to move beyond built-in security. Falling behind means risking ransomware, data loss, and operational downtime.
What This Windows Defender Vulnerability Means
In recent weeks, the Akira ransomware group has used a “Bring Your Own Vulnerable Driver” (BYOVD) attack. This attack disables Microsoft Defender Antivirus without detection. They employ a legitimate Intel CPU tuning driver—rwdrv.sys—alongside a malicious companion driver (hlpdrv.sys) that quietly alters registry settings to switch off Defender’s protections. This method sidesteps many security tools and has been observed in active ransomware campaigns since mid-July 2025.
Why Texas SMBs Are at Heightened Risk
- False Sense of Security – Businesses relying only on Windows Defender are becoming easy targets.
- Limited IT Resources – Without continuous monitoring, this vulnerability may go undetected for longer.
- Attractive Targets – SMBs often handle sensitive data, making them lucrative ransomware victims.
How to Protect Your Business Immediately
To guard against this emerging threat, Texas SMBs should:
- Implement Multi-Layered Security
Use EDR, firewalls, email filtering, plus network monitoring, not just AV. - Deploy Hardened Endpoint Defense
Choose tools that resist tampering, such as managed EDR solutions. - Engage a Managed IT Security Partner
MSPs like SofTouch Systems offer 24/7 monitoring and proactive protection that goes beyond default defenses. - Ensure Regular, Secure Backups
Secure offsite backups are your lifeline if ransomware hits. - Train Your Teams
Equip staff to recognize phishing lures and avoid unsafe downloads.
Case in Point: Akira Ransomware Attack
Security researchers confirm that the Akira ransomware group has actively deployed this BYOVD technique since mid‑July 2025. They’ve exploited the legitimate rwdrv.sys driver (part of ThrottleStop) to gain system-level access, then used hlpdrv.sys, a malicious driver, to disable Defender via registry manipulation. This method has been observed in live ransomware campaigns. It was not just theoretical tests. This highlights the serious and ongoing nature of the threat.
How SofTouch Systems Shields Your Business
At SofTouch Systems, we equip Texas SMBs with resilient, enterprise-grade protections at SMB-friendly rates:
- Managed EDR & Antivirus that can’t be tampered with.
- 24/7 Endpoint & Network Monitoring to detect and halt threats fast.
- Secure Backup & Recovery plans, regularly tested for effectiveness.
- Employee Security Training that strengthens your human firewall.
Don’t rely solely on Defender, let us help you build defenses that adapt and respond.
