- Researchers spot Medusa ransomware operators deploying smuol.sys
- This driver mimics a legitimate CrowdStrike Falcon driver
- Medusa is actively targeting critical infrastructure organizations
Operators of the Medusa ransomware are engaging in old-fashioned bring-your-own-vulnerable-driver (BYOD) attacks, bypassing endpoint protection, detection and response (EDR) tools while installing the encryptor.
Cybersecurity researchers Elastic Security Labs noted the attacks start as the threat actors drop an unnamed loader, which deploys two things on the target endpoint: the vulnerable driver, and the encryptor.
The driver in question is smuol.sys, and it mimics a legitimate CrowdStrike Falcon driver named CSAgent.sys. It was also said to have been signed by a Chinese vendor the researchers dubbed ABYSSWORKER.
A growing threat
“This loader was deployed alongside a revoked certificate-signed driver from a Chinese vendor we named ABYSSWORKER, which it installs on the victim machine and then uses to target and silence different EDR vendors,” Elastic Security Labs said in its report.
Using outdated and vulnerable drivers to kill antivirus and malware removal tools is nothing new. The practice has been around for years and is being used to deploy malware, steal sensitive information, propagate viruses, and more.
The best way to mitigate potential threats is to keep your software updated.
Medusa ransomware has grown into one of the most prolific Ransomware-as-a-service (RaaS) providers around.
Standing shoulder to shoulder with LockBit, or RansomHub, Medusa has taken responsibility for some of the biggest attacks in recent years, prompting the US government to issue a warning about its activities.
In mid-March 2025, the FBI, CISA, and MS-ISAC said Medusa targeted more than 300 victims from a “variety of critical infrastructure sectors”, by February 2025.
“As of February 2025, Medusa developers and affiliates have impacted over 300 victims from a variety of critical infrastructure sectors with affected industries including medical, education, legal, insurance, technology, and manufacturing,” the report says. “FBI, CISA, and MS-ISAC encourage organizations to implement the recommendations in the Mitigations section of this advisory to reduce the likelihood and impact of Medusa ransomware incidents.”
Via The Hacker News
Leave a comment