New BYOVD Attack Can Evade Microsoft Defender and Install Ransomware

A new cyber security threat has emerged in the form of a Bring Your Own Vulnerable Driver (BYOVD) attack, which allows hackers to gain kernel-level access, bypass Microsoft Defender and install ransomware onto a victim’s computer.
The attack involves the exploitation of a legitimate driver containing vulnerabilities, namely rwdrv.sys, which is commonly used by optimisation and fan control applications.
Once gaining initial access, the hackers install the rwdrv.sys driver before using it to gain elevated privileges and subsequently deploying a malicious hlpdrv.sys driver to disable Microsoft Defender.
The attack then installs ransomware or executes other malicious code.
At present, Akira ransomware has been associated with this type of attack, which can be prevented by enabling Windows Security features such as Controlled Folder Access and Core Isolation Features, uninstalling kernel-level utilities that are not necessary, using a standard account for everyday computer use and installing a different antivirus software to Microsoft Defender.

Fast Feed