{"id":1588,"date":"2025-03-24T14:19:15","date_gmt":"2025-03-24T14:19:15","guid":{"rendered":"https:\/\/www.tsfactory.com\/forums\/?p=1588"},"modified":"2025-03-24T14:19:15","modified_gmt":"2025-03-24T14:19:15","slug":"medusa-ransomware-using-malicious-driver-as-edr-killer","status":"publish","type":"post","link":"https:\/\/www.tsfactory.com\/forums\/blog\/medusa-ransomware-using-malicious-driver-as-edr-killer\/","title":{"rendered":"Medusa ransomware using malicious driver as EDR killer"},"content":{"rendered":"<p>A Medusa ransomware campaign is using a malicious driver to disrupt and even delete endpoint detection and response (EDR) products on targeted organization networks.<\/p>\n<p>According to\u00a0<a href=\"https:\/\/www.elastic.co\/security-labs\/abyssworker\">new research<\/a>\u00a0from Elastic Security Labs, the malicious driver, dubbed ABYSSWORKER, is deployed along with a packer-as-a-service called HeartCrypt to deliver Medusa ransomware. Elastic noted the driver was\u00a0<a href=\"https:\/\/www.linkedin.com\/pulse\/attackers-leveraging-microsoft-teams-defaults-quick-assist-p1u5c\/\">first documented<\/a>\u00a0in a ConnectWise post in January involving a different campaign of IT support scams using Microsoft Teams.<\/p>\n<p>In the Medusa ransomware attacks, Elastic discovered the malicious driver imitates a legitimate CrowdStrike Falcon driver and is using digital certificates from other companies to masquerade as a legitimate program.<\/p>\n<p>\u201cAll samples are signed using likely stolen, revoked certificates from Chinese companies,\u201d Cyril Fran\u00e7ois, senior research engineer at Elastic Security Labs, wrote in the blog post. \u201cThese certificates are widely known and shared across different malware samples and campaigns but are not specific to this driver.\u201d<\/p>\n<p>Despite being revoked, such code-signing certificates can still be effective for malicious programs like ABYSSWORKER. Because drivers have kernel access, operating systems such as Windows will still allow some drivers with revoked certificates to load because blocking such drivers could negatively impact performance and cause the system to crash.<\/p>\n<p>\u201cOur understanding is that the way Windows validates driver signatures allows some drivers with \u201cvintage\u201d certificates in their certificate chain to be installed and executed,\u201d Devon Kerr, director of threat research at Elastic, told Cybersecurity Dive.<\/p>\n<p>Kerr also said there are techniques that allow threat actors to alter the signing dates of certificates, which make expired or revoked certificates appear to be valid, could be a factor in these types of attacks<\/p>\n<p>As a result, drivers have become increasing popular hacking tools in recent years. They provide attackers kernel access and can enable privileged actions, such as terminating the processes of EDR and other security products. Threat actors can develop their own malicious drivers like ABYSSWORKER or engage in \u201c<a href=\"https:\/\/www.cybersecuritydive.com\/news\/microsoft-signed-driver-used-in-ransomware-attacks\/741372\/\">bring your own vulnerable driver<\/a>\u201d (BYOVD) attacks in which they exploit a flaw in a legitimate driver and use it for malicious activity.<\/p>\n<p><a href=\"https:\/\/www.cybersecuritydive.com\/news\/medusa-ransomware-malicious-driver-edr-killer\/743181\/\">Read the Full Story Here<\/a><\/p>\n<p>Source: Cybersecurity Dive<\/p>\n","protected":false},"excerpt":{"rendered":"<p>A Medusa ransomware campaign is using a malicious driver to disrupt and even delete endpoint detection and response (EDR) products on targeted organization networks. According to\u00a0new research\u00a0from Elastic Security Labs, the malicious driver, dubbed ABYSSWORKER, is deployed along with a packer-as-a-service called HeartCrypt to deliver Medusa ransomware. Elastic noted the driver was\u00a0first documented\u00a0in a ConnectWise [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":1227,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[],"class_list":["post-1588","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-news"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v24.9 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Medusa ransomware using malicious driver as EDR killer - Community<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.tsfactory.com\/forums\/blog\/medusa-ransomware-using-malicious-driver-as-edr-killer\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Medusa ransomware using malicious driver as EDR killer - Community\" \/>\n<meta property=\"og:description\" content=\"A Medusa ransomware campaign is using a malicious driver to disrupt and even delete endpoint detection and response (EDR) products on targeted organization networks. According to\u00a0new research\u00a0from Elastic Security Labs, the malicious driver, dubbed ABYSSWORKER, is deployed along with a packer-as-a-service called HeartCrypt to deliver Medusa ransomware. Elastic noted the driver was\u00a0first documented\u00a0in a ConnectWise [&hellip;]\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.tsfactory.com\/forums\/blog\/medusa-ransomware-using-malicious-driver-as-edr-killer\/\" \/>\n<meta property=\"og:site_name\" content=\"Community\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/TSFactoryLLC\/\" \/>\n<meta property=\"article:published_time\" content=\"2025-03-24T14:19:15+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.tsfactory.com\/forums\/wp-content\/uploads\/2024\/03\/pexels-tima-miroshnichenko-5380594-scaled.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"2560\" \/>\n\t<meta property=\"og:image:height\" content=\"1707\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"Chelsie Wyatt\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@TSFactoryLLC\" \/>\n<meta name=\"twitter:site\" content=\"@TSFactoryLLC\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Chelsie Wyatt\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"2 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.tsfactory.com\/forums\/blog\/medusa-ransomware-using-malicious-driver-as-edr-killer\/\",\"url\":\"https:\/\/www.tsfactory.com\/forums\/blog\/medusa-ransomware-using-malicious-driver-as-edr-killer\/\",\"name\":\"Medusa ransomware using malicious driver as EDR killer - Community\",\"isPartOf\":{\"@id\":\"https:\/\/www.tsfactory.com\/forums\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/www.tsfactory.com\/forums\/blog\/medusa-ransomware-using-malicious-driver-as-edr-killer\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/www.tsfactory.com\/forums\/blog\/medusa-ransomware-using-malicious-driver-as-edr-killer\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.tsfactory.com\/forums\/wp-content\/uploads\/2024\/03\/pexels-tima-miroshnichenko-5380594-scaled.jpg\",\"datePublished\":\"2025-03-24T14:19:15+00:00\",\"author\":{\"@id\":\"https:\/\/www.tsfactory.com\/forums\/#\/schema\/person\/9d9908f0e12559297335ebe9b601c82f\"},\"breadcrumb\":{\"@id\":\"https:\/\/www.tsfactory.com\/forums\/blog\/medusa-ransomware-using-malicious-driver-as-edr-killer\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.tsfactory.com\/forums\/blog\/medusa-ransomware-using-malicious-driver-as-edr-killer\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.tsfactory.com\/forums\/blog\/medusa-ransomware-using-malicious-driver-as-edr-killer\/#primaryimage\",\"url\":\"https:\/\/www.tsfactory.com\/forums\/wp-content\/uploads\/2024\/03\/pexels-tima-miroshnichenko-5380594-scaled.jpg\",\"contentUrl\":\"https:\/\/www.tsfactory.com\/forums\/wp-content\/uploads\/2024\/03\/pexels-tima-miroshnichenko-5380594-scaled.jpg\",\"width\":2560,\"height\":1707},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.tsfactory.com\/forums\/blog\/medusa-ransomware-using-malicious-driver-as-edr-killer\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/www.tsfactory.com\/forums\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Medusa ransomware using malicious driver as EDR killer\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.tsfactory.com\/forums\/#website\",\"url\":\"https:\/\/www.tsfactory.com\/forums\/\",\"name\":\"Community\",\"description\":\"TSFactory\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.tsfactory.com\/forums\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.tsfactory.com\/forums\/#\/schema\/person\/9d9908f0e12559297335ebe9b601c82f\",\"name\":\"Chelsie Wyatt\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.tsfactory.com\/forums\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/09ff3801fb7566acf715fe4e81a9bd942b923c236138a3ed8a8375f099e5d6d6?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/09ff3801fb7566acf715fe4e81a9bd942b923c236138a3ed8a8375f099e5d6d6?s=96&d=mm&r=g\",\"caption\":\"Chelsie Wyatt\"},\"url\":\"https:\/\/www.tsfactory.com\/forums\/blog\/author\/chelsie\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Medusa ransomware using malicious driver as EDR killer - Community","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.tsfactory.com\/forums\/blog\/medusa-ransomware-using-malicious-driver-as-edr-killer\/","og_locale":"en_US","og_type":"article","og_title":"Medusa ransomware using malicious driver as EDR killer - Community","og_description":"A Medusa ransomware campaign is using a malicious driver to disrupt and even delete endpoint detection and response (EDR) products on targeted organization networks. According to\u00a0new research\u00a0from Elastic Security Labs, the malicious driver, dubbed ABYSSWORKER, is deployed along with a packer-as-a-service called HeartCrypt to deliver Medusa ransomware. Elastic noted the driver was\u00a0first documented\u00a0in a ConnectWise [&hellip;]","og_url":"https:\/\/www.tsfactory.com\/forums\/blog\/medusa-ransomware-using-malicious-driver-as-edr-killer\/","og_site_name":"Community","article_publisher":"https:\/\/www.facebook.com\/TSFactoryLLC\/","article_published_time":"2025-03-24T14:19:15+00:00","og_image":[{"width":2560,"height":1707,"url":"https:\/\/www.tsfactory.com\/forums\/wp-content\/uploads\/2024\/03\/pexels-tima-miroshnichenko-5380594-scaled.jpg","type":"image\/jpeg"}],"author":"Chelsie Wyatt","twitter_card":"summary_large_image","twitter_creator":"@TSFactoryLLC","twitter_site":"@TSFactoryLLC","twitter_misc":{"Written by":"Chelsie Wyatt","Est. reading time":"2 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/www.tsfactory.com\/forums\/blog\/medusa-ransomware-using-malicious-driver-as-edr-killer\/","url":"https:\/\/www.tsfactory.com\/forums\/blog\/medusa-ransomware-using-malicious-driver-as-edr-killer\/","name":"Medusa ransomware using malicious driver as EDR killer - Community","isPartOf":{"@id":"https:\/\/www.tsfactory.com\/forums\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.tsfactory.com\/forums\/blog\/medusa-ransomware-using-malicious-driver-as-edr-killer\/#primaryimage"},"image":{"@id":"https:\/\/www.tsfactory.com\/forums\/blog\/medusa-ransomware-using-malicious-driver-as-edr-killer\/#primaryimage"},"thumbnailUrl":"https:\/\/www.tsfactory.com\/forums\/wp-content\/uploads\/2024\/03\/pexels-tima-miroshnichenko-5380594-scaled.jpg","datePublished":"2025-03-24T14:19:15+00:00","author":{"@id":"https:\/\/www.tsfactory.com\/forums\/#\/schema\/person\/9d9908f0e12559297335ebe9b601c82f"},"breadcrumb":{"@id":"https:\/\/www.tsfactory.com\/forums\/blog\/medusa-ransomware-using-malicious-driver-as-edr-killer\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.tsfactory.com\/forums\/blog\/medusa-ransomware-using-malicious-driver-as-edr-killer\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.tsfactory.com\/forums\/blog\/medusa-ransomware-using-malicious-driver-as-edr-killer\/#primaryimage","url":"https:\/\/www.tsfactory.com\/forums\/wp-content\/uploads\/2024\/03\/pexels-tima-miroshnichenko-5380594-scaled.jpg","contentUrl":"https:\/\/www.tsfactory.com\/forums\/wp-content\/uploads\/2024\/03\/pexels-tima-miroshnichenko-5380594-scaled.jpg","width":2560,"height":1707},{"@type":"BreadcrumbList","@id":"https:\/\/www.tsfactory.com\/forums\/blog\/medusa-ransomware-using-malicious-driver-as-edr-killer\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.tsfactory.com\/forums\/"},{"@type":"ListItem","position":2,"name":"Medusa ransomware using malicious driver as EDR killer"}]},{"@type":"WebSite","@id":"https:\/\/www.tsfactory.com\/forums\/#website","url":"https:\/\/www.tsfactory.com\/forums\/","name":"Community","description":"TSFactory","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.tsfactory.com\/forums\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Person","@id":"https:\/\/www.tsfactory.com\/forums\/#\/schema\/person\/9d9908f0e12559297335ebe9b601c82f","name":"Chelsie Wyatt","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.tsfactory.com\/forums\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/09ff3801fb7566acf715fe4e81a9bd942b923c236138a3ed8a8375f099e5d6d6?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/09ff3801fb7566acf715fe4e81a9bd942b923c236138a3ed8a8375f099e5d6d6?s=96&d=mm&r=g","caption":"Chelsie Wyatt"},"url":"https:\/\/www.tsfactory.com\/forums\/blog\/author\/chelsie\/"}]}},"_links":{"self":[{"href":"https:\/\/www.tsfactory.com\/forums\/wp-json\/wp\/v2\/posts\/1588","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.tsfactory.com\/forums\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.tsfactory.com\/forums\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.tsfactory.com\/forums\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.tsfactory.com\/forums\/wp-json\/wp\/v2\/comments?post=1588"}],"version-history":[{"count":1,"href":"https:\/\/www.tsfactory.com\/forums\/wp-json\/wp\/v2\/posts\/1588\/revisions"}],"predecessor-version":[{"id":1589,"href":"https:\/\/www.tsfactory.com\/forums\/wp-json\/wp\/v2\/posts\/1588\/revisions\/1589"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.tsfactory.com\/forums\/wp-json\/wp\/v2\/media\/1227"}],"wp:attachment":[{"href":"https:\/\/www.tsfactory.com\/forums\/wp-json\/wp\/v2\/media?parent=1588"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.tsfactory.com\/forums\/wp-json\/wp\/v2\/categories?post=1588"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.tsfactory.com\/forums\/wp-json\/wp\/v2\/tags?post=1588"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}