Driver-Based Ransomware Tactics
The Medusa ransomware group is leveraging a malicious driver, dubbed ABYSSWORKER, in a “bring your own vulnerable driver” (BYOVD) attack to disable endpoint detection and response (EDR) systems. Delivered via a loader packed using the HeartCrypt packer-as-a-service, the driver—smuol.sys—mimics a legitimate CrowdStrike Falcon component and is signed with revoked or stolen certificates from Chinese vendors. Once installed, ABYSSWORKER can terminate processes, disable malware defenses, and remove security callbacks, giving attackers control over the system while evading detection.
These tactics reflect a broader trend in ransomware operations toward using sophisticated, low-level tools to evade modern cybersecurity protections. Similar BYOVD strategies have also been seen exploiting outdated drivers like Check Point’s ZoneAlarm.
Meanwhile, the RansomHub ransomware group has been linked to a custom backdoor called Betruger, which performs functions such as screenshotting, keylogging, and privilege escalation before launching ransomware attacks. These developments underscore a shift toward stealthy, persistent access methods designed to bypass traditional defenses and facilitate broader system compromise.
Lakshmanan, Ravie. 2025. “Medusa Ransomware Uses Malicious Driver to Disable Anti-Malware with Stolen Certificates.” The Hacker News. Mar. 21.
READ: https://bit.ly/41Yc7Tg
