Medusa ransomware is able to disable anti-malware tools, so be on your guard

1 day ago 206

(Image credit: Shutterstock.com) (Image credit: Future)

Researchers spot Medusa ransomware operators deploying smuol.sys
This driver mimics a legitimate CrowdStrike Falcon driver
Medusa is actively targeting critical infrastructure organizations

Operators of the Medusa ransomware are engaging in old-fashioned bring-your-own-vulnerable-driver (BYOD) attacks, bypassing endpoint protection, detection and response (EDR) tools while installing the encryptor.

Cybersecurity researchers Elastic Security Labs noted the attacks start as the threat actors drop an unnamed loader, which deploys two things on the target endpoint: the vulnerable driver, and the encryptor.

The driver in question is smuol.sys, and it mimics a legitimate CrowdStrike Falcon driver named CSAgent.sys. It was also said to have been signed by a Chinese vendor the researchers dubbed ABYSSWORKER.

A growing threat

"This loader was deployed alongside a revoked certificate-signed driver from a Chinese vendor we named ABYSSWORKER, which it installs on the victim machine and then uses to target and silence different EDR vendors," Elastic Security Labs said in its report.

Using outdated and vulnerable drivers to kill antivirus and malware removal tools is nothing new. The practice has been around for years and is being used to deploy malware, steal sensitive information, propagate viruses, and more.

The best way to mitigate potential threats is to keep your software updated.

Medusa ransomware has grown into one of the most prolific Ransomware-as-a-service (RaaS) providers around.

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

Standing shoulder to shoulder with LockBit, or RansomHub, Medusa has taken responsibility for some of the biggest attacks in recent years, prompting the US government to issue a warning about its activities.

In mid-March 2025, the FBI, CISA, and MS-ISAC said Medusa targeted more than 300 victims from a “variety of critical infrastructure sectors”, by February 2025.

"As of February 2025, Medusa developers and affiliates have impacted over 300 victims from a variety of critical infrastructure sectors with affected industries including medical, education, legal, insurance, technology, and manufacturing," the report says. "FBI, CISA, and MS-ISAC encourage organizations to implement the recommendations in the Mitigations section of this advisory to reduce the likelihood and impact of Medusa ransomware incidents."

Via The Hacker News

US government warns Medusa ransomware has hit hundreds of critical infrastructure targets
We've rounded up the best password managers
Take a look at our guide to the best authenticator app

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

Read Entire Article