😷 Medusa Ransomware Uses Malicious Driver to Disable Antivirus Software with Stolen Certificates

[chushpan]

Threat actors behind the Medusa ransomware-as-a-service (RaaS) operation have been observed using a malicious driver called ABYSSWORKER as part of a bring-your-own-vulnerable-driver (BYOVD) attack aimed at disabling anti-malware protections.

🗞 Elastic Security Labs reported that it observed an attack on Medusa in which the ransomware was delivered via a downloader packaged with a package-as-a-service (PaaS) called HeartCrypt.

“This loader was deployed with a driver with a revoked certificate from a Chinese vendor we have dubbed ABYSSWORKER, which it installs on the victim’s machine and then uses to attack and silence various EDR vendors,” the company said in its report.

The driver in question, “smuol.sys”, mimics the legitimate CrowdStrike Falcon driver (“CSAgent.sys”). Dozens of ABYSSWORKER artifacts have been found on the VirusTotal platform, dating from August 8, 2024 to February 25, 2025. All identified samples are signed using likely stolen and revoked certificates from Chinese companies.

The fact that the malware is also signed gives it the appearance of trust and allows it to bypass security systems without attracting attention. It's worth noting that the driver that kills Endpoint Detection and Response (EDR) was previously documented by ConnectWise in January 2025 under the name "nbwdv.sys".