SECURITYWEEK NETWORK:

ICS:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

Medusa Ransomware Uses Malicious Driver to Disable Security Tools

The Medusa ransomware relies on a malicious Windows driver to disable the security tools running on the infected systems.

The Medusa ransomware deploys a malicious driver from a Chinese vendor and uses it to disable the security tools running on the infected systems, cybersecurity firm Elastic Security Labs reports.

Named smuol.sys, the driver masquerades as a legitimate CrowdStrike Falcon driver, is signed with a revoked certificate from a Chinese company, and is protected using VMProtect.

Elastic, which named the driver AbyssWorker, has identified dozens of samples dated August 2024 to February 2025, all signed, likely using stolen certificates.

“These certificates are widely known and shared across different malware samples and campaigns but are not specific to this driver,” Elastic notes.

The driver itself, the cybersecurity firm notes, is not exclusive to Medusa ransomware, and was previously observed being used under the name of nbwdv.sys in social engineering attacks leading to backdoor infections.

The driver was signed with an expired certificate and, to ensure that the driver would run successfully, the attackers used a .bat file to disable the Windows Time Service and set the system date to 2012. A controller binary was used to communicate with the driver.

Advertisement. Scroll to continue reading.

Elastic’s analysis of AbyssWorker revealed that the driver sets up a protection feature during initialization, by searching for and stripping any handles to its client process in other processes.

Once up and running, the driver can perform requests for a broad range of operations, including process manipulation, file manipulation, process tampering, API loading, hook removal, driver termination, and system reboot, which enables it to terminate and permanently disable security tools.

AbyssWorker, Elastic explains, contains various handlers that rely on kernel APIs to perform malicious operations. The cybersecurity firm has created an implementation example that can load the driver’s APIs.

Related: Medusa Ransomware Made 300 Critical Infrastructure Victims

Related: Medusa Ransomware Attacks Increase

Related: Vulnerable Paragon Driver Exploited in Ransomware Attacks

Related: Dozens of Kernel Drivers Allow Attackers to Alter Firmware, Escalate Privileges

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

More from

Latest News

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Webinar: A Step-by-Step Approach to AI Governance
April 28, 2026

With "Shadow AI" usage becoming prevalent in organizations, learn how to balance the need for rapid experimentation with the rigorous controls required for enterprise-grade deployment.

Register

Virtual Event: Threat Detection and Incident Response Summit
May 20, 2026

Delve into big-picture strategies to reduce attack surfaces, improve patch management, conduct post-incident forensics, and tools and tricks needed in a modern organization.

Register

People on the Move

Chris Sistrunk has been promoted to Practice Leader for Mandiant's OT Security Consulting.

Nudge Security has appointed Patrick Dillon as its Chief Revenue Officer.

AutoNation has appointed Brian Fricke as Chief Information Security Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.