- Scientists see Medusa Ransomware -Operators that implement Smuol.SYS
- This driver mimics a legitimate crowdstrike falcon driver
- Medusa is actively targeting critical infrastructure organizations
Operators of Medusa Ransomware participate in old-fashioned Bring-Your-Oven-Vulnerable Driver (Byod) attacks, bypassing final point protection, detection and response (EDR) tools while installing encryption.
CyberSecurity scientists elastic security laboratories noted that the attacks start as the threat actors drop a named loader that emits two things on the target endpoint: the vulnerable driver and encryption.
The driver in question is Smuol.sys and it mimics a legitimate crowdstrike Falcon driver named Csegent.sys. It is also said to be signed by a Chinese supplier, which the researchers called Abysssworker.
A growing threat
“This loader was inserted together with a recalled certificate-signed driver from a Chinese supplier we called AbyssWorker, which it installs on the sacrificial machine and then uses to target and dampen various EDR suppliers,” Elastic Security Labs said in his report.
Using outdated and vulnerable drivers to kill tools for removing antivirus and malware is nothing new. The practice has been around for years and is used to implement malware, steal sensitive information, propagate viruses and more.
The best way to reduce potential threats is to keep your software up to date.
Medusa Ransomware has grown to one of the most productive Ransomware-as-A-Service (RAAS) providers around.
Medusa standing shoulder to shoulder with Lockbit or Ransomhub and has taken responsibility for some of the biggest attacks in recent years, causing the US government to issue a warning of its activities.
In mid-March 2025, the FBI, CISA and MSAC said Medusa targeted more than 300 victims from a “series of critical infrastructure sectors” in February 2025.
“From February 2025, Medusa developers and affiliated companies have affected over 300 victims from a number of critical infrastructure sectors with affected industries, including medical, education, legal, insurance, technology and manufacture,” the report said. “The FBI, CISA and MSIsAC encourage organizations to implement the recommendations in the mitigation section of this advice to reduce the likelihood and impact of Medusa Ransomware events.”
Via Hacker the news
