Medusa Ransomware: How a Malicious Driver Is Silencing EDR Defenses

-

 


The Medusa ransomware group has escalated its tactics, deploying a malicious driver dubbed ABYSSWORKER to disable endpoint detection and response (EDR) solutions. This attack is part of a growing trend of bring-your-own-vulnerable-driver (BYOVD) techniques, where attackers exploit trusted but vulnerable drivers to gain deep system access.

What Happened?

Elastic Security Labs recently detailed a Medusa ransomware incident involving a packer-as-a-service (PaaS) tool called HeartCrypt. The HeartCrypt loader deployed a revoked certificate-signed driver"smuol.sys", mimicking a legitimate CrowdStrike Falcon driver. Once installed, the ABYSSWORKER driver began systematically terminating or disabling various security tools.

The driver was signed using stolen, revoked certificates from Chinese vendors, giving it a veneer of legitimacy and allowing it to bypass traditional security controls.

How ABYSSWORKER Works

Once deployed, the ABYSSWORKER driver:

  • Registers its process as a protected system process

  • Listens for I/O control requests

  • Executes various malicious operations via specific control codes

Some of the most notable control codes include:

  • 0x222084 – Disable malware protection

  • 0x222144 – Terminate processes by PID

  • 0x222400 – Remove security notification callbacks

  • 0x222664 – Force system reboot

By removing notification callbacks (used by many security tools to detect suspicious activity), the malware can effectively blind EDR solutions — a tactic also seen in tools like EDRSandBlast and RealBlindingEDR.

The Risk of BYOVD Tactics

This attack is part of a larger trend. Threat actors are increasingly turning to legitimate, signed but vulnerable drivers to:

  • Bypass kernel-level protections

  • Disable security tools

  • Maintain long-term persistence

Another recent example includes an abuse of Check Point’s ZoneAlarm driver (vsdatant.sys) to disable Windows protections like Memory Integrity, gain privileged kernel access, and establish RDP access for persistence.

What’s the Goal?

The goal is straightforward: neutralize security defenses early, enabling ransomware deployment or broader system compromise without detection. Once controls are bypassed, attackers can:

  • Exfiltrate credentials

  • Dump sensitive data

  • Maintain persistent access

  • Drop additional payloads like backdoors or full ransomware encryptors

Elastic’s findings align with broader campaigns observed across the ransomware ecosystem — where custom tools like Betruger (used by RansomHub) act as multipurpose implants to assist with keylogging, privilege escalation, and lateral movement.

What Can Organizations Do?

To defend against BYOVD and driver-level attacks:

  • Implement driver control policies: Use features like Microsoft’s HVCI and Kernel Mode Code Integrity to block unsigned or revoked drivers.

  • Blocklist known malicious drivers: Maintain an updated list of banned drivers across the environment.

  • Monitor for anomalous kernel-level activity: Use EDR/XDR solutions that can detect suspicious driver loading behavior.

  • Deploy behavior-based detection: Signature-based detection won’t catch signed but malicious drivers—behavioural analytics is critical.

Final Thoughts

The Medusa ransomware campaign underscores how attackers continue to evolve, blending traditional ransomware delivery with advanced evasion techniques like BYOVD. Signed drivers have become a stealth weapon for bypassing defenses—reminding security teams that even trusted components can be a risk.

Security isn’t just about patching applications anymore. It's about defending the kernel—because once that’s compromised, everything above it is fair game.

Comments

Post a Comment

Most Viewed

Best Practices for Securing Cloud Instances

-
Image
  In today's digital landscape, the use of cloud instances has become ubiquitous. These cloud platforms offer businesses flexibility, scalability, and cost-efficiency. However, they also present significant security challenges. Ensuring the security of your cloud instances is paramount to safeguarding your data and operations. In this article, we will explore the best practices for securing cloud instances to mitigate risks and protect your assets. Table of Contents Introduction Understanding the Importance of Cloud Security Choosing the Right Cloud Service Provider Evaluating Security Features Compliance and Certification Implementing Strong Authentication Multi-Factor Authentication (MFA) Role-Based Access Control (RBAC) Data Encryption Encryption in Transit Encryption at Rest Regularly Update and Patch The Importance of Timely Updates Automating Patch Management Monitoring and Auditing Continuous Monitoring Auditing for Anomalies Network Security Isolating Resources Implementing...
Read more

OAuth Attacks: How Malicious Apps Are Targeting Microsoft 365 and GitHub

-
Image
Cybercriminals are increasingly exploiting OAuth applications as an attack vector to gain unauthorised access to user accounts, steal data, and spread malware . Recent campaigns have shown a growing sophistication in how attackers abuse OAuth permissions to bypass traditional security measures. A recent wave of attacks has leveraged fake OAuth applications impersonating Adobe, DocuSign, and GitHub security alerts . These malicious apps trick users into granting permissions that allow attackers to redirect victims to phishing pages, distribute malware, or gain full access to cloud accounts and repositories . This article breaks down the latest OAuth attack techniques , how they exploit legitimate services , and what organisations can do to mitigate these threats . How Malicious OAuth Attacks Work OAuth is a widely used authorisation framework that allows applications to request access to user accounts without requiring passwords . While OAuth enhances security by reducing crede...
Read more

The Consequences of Neglecting Cloud Instance Security

-
Image
  In today's digital age, businesses and individuals alike are increasingly relying on cloud computing to store and manage their data. Cloud instances offer convenience, scalability, and cost-effectiveness, but they also come with a significant responsibility: security. Failing to secure your cloud instances can have severe consequences that can impact your data, reputation, and bottom line. In this article, we will explore the various repercussions of not adequately safeguarding your cloud resources. Understanding Cloud Instances Before delving into the consequences, let's first define what cloud instances are. Cloud instances, often referred to as virtual machines (VMs), are virtualized computing resources hosted on remote servers. They are a fundamental building block of cloud computing and are used to run applications, store data, and perform various computing tasks. Popular cloud service providers like Amazon Web Services (AWS), Microsoft Azure, and Google Cloud Platform (...
Read more

The Cloud Computing Revolution: Unleashing the Power of the Cloud

-
Image
  The Cloud Computing Revolution: Unleashing the Power of the Cloud Introduction In our fast-paced digital age, cloud computing has emerged as a transformative force, reshaping the way individuals and businesses access and manage their data and applications. But what exactly is cloud computing, and why has it become an indispensable part of the technological landscape? In this comprehensive guide, we will demystify cloud computing, exploring its various facets, benefits, and the profound impact it has on our daily lives. Understanding the Basics Let's begin by unraveling the fundamental concepts of cloud computing: 1. What Is Cloud Computing? Cloud computing refers to the delivery of computing services—including storage, processing, and software—over the internet. Instead of relying on a local server or personal computer, users tap into a network of remote servers hosted in data centers. 2. Key Components Cloud computing comprises three essential service models: Infrastructure as a...
Read more