Medusa ransomware is able to disable anti-malware tools, so be on your guard

• Researchers spot Medusa ransomware operators deploying smuol.sys
• This driver mimics a legitimate CrowdStrike Falcon driver
• Medusa is actively targeting critical infrastructure organizations

Operators of the Medusa ransomware are engaging in old-fashioned bring-your-own-vulnerable-driver (BYOD) attacks, bypassing endpoint protection, detection and response (EDR) tools while installing the encryptor.

Cybersecurity researchers Elastic Security Labs noted the attacks start as the threat actors drop an unnamed loader, which deploys two things on the target endpoint: the vulnerable driver, and the encryptor.

The driver in question is smuol.sys, and it mimics a legitimate CrowdStrike Falcon driver named CSAgent.sys. It was also said to have been signed by a Chinese vendor the researchers dubbed ABYSSWORKER.

A growing threat

“This loader was deployed alongside a revoked certificate-signed driver from a Chinese vendor we named ABYSSWORKER, which it installs on the victim machine and then uses to target and silence different EDR vendors,” Elastic Security Labs said in its report.

Using outdated and vulnerable drivers to kill antivirus and malware removal tools is nothing new. The practice has been around for years and is being used to deploy malware, steal sensitive information, propagate viruses, and more.

The best way to mitigate potential threats is to keep your software updated.

Medusa ransomware has grown into one of the most prolific Ransomware-as-a-service (RaaS) providers around.

Standing shoulder to shoulder with LockBit, or RansomHub, Medusa has taken responsibility for some of the biggest attacks in recent years, prompting the US government to issue a warning about its activities.

In mid-March 2025, the FBI, CISA, and MS-ISAC said Medusa targeted more than 300 victims from a “variety of critical infrastructure sectors”, by February 2025.

“As of February 2025, Medusa developers and affiliates have impacted over 300 victims from a variety of critical infrastructure sectors with affected industries including medical, education, legal, insurance, technology, and manufacturing,” the report says. “FBI, CISA, and MS-ISAC encourage organizations to implement the recommendations in the Mitigations section of this advisory to reduce the likelihood and impact of Medusa ransomware incidents.”

Via The Hacker News

You might also like

• US government warns Medusa ransomware has hit hundreds of critical infrastructure targets
• We’ve rounded up the best password managers
• Take a look at our guide to the best authenticator app

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.