SECURITYWEEK NETWORK:

ICS:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

Medusa Ransomware Uses Malicious Driver to Disable Security Tools

The Medusa ransomware relies on a malicious Windows driver to disable the security tools running on the infected systems.

The Medusa ransomware deploys a malicious driver from a Chinese vendor and uses it to disable the security tools running on the infected systems, cybersecurity firm Elastic Security Labs reports.

Named smuol.sys, the driver masquerades as a legitimate CrowdStrike Falcon driver, is signed with a revoked certificate from a Chinese company, and is protected using VMProtect.

Elastic, which named the driver AbyssWorker, has identified dozens of samples dated August 2024 to February 2025, all signed, likely using stolen certificates.

“These certificates are widely known and shared across different malware samples and campaigns but are not specific to this driver,” Elastic notes.

The driver itself, the cybersecurity firm notes, is not exclusive to Medusa ransomware, and was previously observed being used under the name of nbwdv.sys in social engineering attacks leading to backdoor infections.

The driver was signed with an expired certificate and, to ensure that the driver would run successfully, the attackers used a .bat file to disable the Windows Time Service and set the system date to 2012. A controller binary was used to communicate with the driver.

Elastic’s analysis of AbyssWorker revealed that the driver sets up a protection feature during initialization, by searching for and stripping any handles to its client process in other processes.

Once up and running, the driver can perform requests for a broad range of operations, including process manipulation, file manipulation, process tampering, API loading, hook removal, driver termination, and system reboot, which enables it to terminate and permanently disable security tools.

Advertisement. Scroll to continue reading.

AbyssWorker, Elastic explains, contains various handlers that rely on kernel APIs to perform malicious operations. The cybersecurity firm has created an implementation example that can load the driver’s APIs.

Related: Medusa Ransomware Made 300 Critical Infrastructure Victims

Related: Medusa Ransomware Attacks Increase

Related: Vulnerable Paragon Driver Exploited in Ransomware Attacks

Related: Dozens of Kernel Drivers Allow Attackers to Alter Firmware, Escalate Privileges

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

More from

Latest News

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Virtual Event: Threat Detection and Incident Response Summit
May 21, 2025

Join this event as we dive into threat hunting tools and frameworks, and explore value of threat intelligence data in the defender’s security stack.

Register

Webinar: Which Security Testing Approach is Right for You?
March 25, 2025

Learn how integrating BAS and Automated Penetration Testing empowers security teams to quickly identify and validate threats, enabling prompt response and remediation.

Register

People on the Move

Wendi Whitmore has taken the role of Chief Security Intelligence Officer at Palo Alto Networks.

Phil Venables, former CISO of Google Cloud, has joined Ballistic Ventures as a Venture Partner.

David Currie, former CISO of Nubank and Klarna, has been appointed CEO of Vaultree.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.