- Researchers detect Medusa ransomware operators that implement Smuol.sys
- This driver imitates a legitimate driver of Falcon Falcon
- Medusa actively addresses critical infrastructure organizations
Medusa ransomware operators are dedicated to outdated attacks to vulnerable driving attacks (Byod), without going through the protection, detection and response tools (EDR) (EDR) when installing the encryption.
The investigators of the elastic cybersecurity of the security laboratories noticed that the attacks begin as the threat actors drop a nameless charger, which displays two things at the objective final point: the vulnerable driver and the encryption.
The driver in question is smuol.sys, and mimics a legitimate driver of Falcon Crowdstrike called Csagent.Sys. It was also said that it was signed by a Chinese supplier, the researchers called Abysworker.
A growing threat
“This charger was implemented together with a revoked certificate controller of a Chinese supplier that we call Abyssworker, which installs in the victim machine and then uses to aim and silence different EDR suppliers,” said Elastic Security Labs in his report.
Using obsolete and vulnerable controllers to kill antivirus and malware elimination tools is nothing new. The practice has existed for years and is being used to display malware, steal confidential information, propagate viruses and more.
The best way to mitigate possible threats is to maintain your updated software.
The Medusa ransomware has become one of the most prolific ransomware (RAA) suppliers.
Shoulder to shoulder with Lockbit or Ransomhub, Medusa has assumed the responsibility of some of the greatest attacks in recent years, which led to the United States government to issue a warning about their activities.
In mid-March 2025, the FBI, the CISA and the MS-ISAC said that Medusa pointed to more than 300 victims of a “variety of critical infrastructure sectors”, in February 2025.
“As of February 2025, Medusa developers and affiliates have affected more than 300 victims of a variety of critical infrastructure sectors with affected industries, including doctors, education, legal, insurance, technology and manufacturing,” says the report. “The FBI, the CISA and the MS-ISAC alienate organizations to implement the recommendations in the mitigation section of this notice to reduce the probability and impact of Medusa ransomware incidents.”
Through The hacker news
