Operators of the Medusa ransomware have been employing an old but effective tactic known as bring-your-own-vulnerable-driver (BYOD) attacks. This approach allows them to bypass endpoint detection and response (EDR) tools and install their ransomware encryptor. Cybersecurity researchers from Elastic Security Labs discovered that the attackers initiate their campaigns by deploying an unnamed loader, which is responsible for installing both a vulnerable driver and the ransomware encryptor on targeted systems.
Medusa Ransomware Exploits Vulnerable Drivers to Evade Security and Deploy Attacks
The attackers use a driver named smuol.sys, which masquerades as a legitimate CrowdStrike Falcon driver called CSAgent.sys. The driver was reportedly signed by a Chinese vendor that researchers have labeled “ABYSSWORKER.” This driver plays a crucial role in disabling security tools, allowing Medusa ransomware to execute its encryption process undetected. The use of compromised or vulnerable drivers in cyberattacks is not a new technique, but it remains highly effective against outdated security defenses.
Medusa Ransomware Bypasses Security Using Vulnerable Drivers to Target Critical InfrastructureElastic Security Labs emphasized that Medusa’s approach of deploying revoked or vulnerable drivers is part of a broader trend in cyber threats. Such techniques have been used for years to disable antivirus and malware removal tools, making systems more susceptible to ransomware and data theft. The best defense against these types of attacks is keeping security software up to date and ensuring that all system drivers are verified and patched against known vulnerabilities.
Medusa Ransomware Poses a Growing Threat to Critical Infrastructure and Organizations
Medusa has established itself as a major player in the Ransomware-as-a-Service (RaaS) market, rivaling well-known ransomware groups like LockBit and RansomHub. The group has been responsible for numerous high-profile attacks, prompting government agencies to take notice. Due to its increasing threat level, the U.S. government has issued multiple warnings about Medusa’s activities, urging organizations to strengthen their security measures.
According to a report released in March 2025 by the FBI, CISA, and MS-ISAC, Medusa ransomware has affected over 300 victims across various critical infrastructure sectors, including healthcare, education, legal, insurance, technology, and manufacturing.
Given the severity of these attacks, government agencies have advised organizations to follow recommended cybersecurity measures to mitigate the risks associated with Medusa ransomware. Implementing these strategies can significantly reduce the likelihood of falling victim to such sophisticated cyber threats.
