Skip to main content
close search
site logo

Medusa ransomware using malicious driver as EDR killer

“ABYSSWORKER” imitates a CrowdStrike Falcon driver.

Published March 21, 2025
By
Contributing Reporter
Ransomware spelled out in a creative depiction.
Just_Super via Getty Images

A Medusa ransomware campaign is using a malicious driver to disrupt and even delete endpoint detection and response (EDR) products on targeted organization networks.

According to new research from Elastic Security Labs, the malicious driver, dubbed ABYSSWORKER, is deployed along with a packer-as-a-service called HeartCrypt to deliver Medusa ransomware. Elastic noted the driver was first documented in a ConnectWise post in January involving a different campaign of IT support scams using Microsoft Teams.

In the Medusa ransomware attacks, Elastic discovered the malicious driver imitates a legitimate CrowdStrike Falcon driver and is using digital certificates from other companies to masquerade as a legitimate program.

"All samples are signed using likely stolen, revoked certificates from Chinese companies," Cyril François, senior research engineer at Elastic Security Labs, wrote in the blog post. "These certificates are widely known and shared across different malware samples and campaigns but are not specific to this driver."

Despite being revoked, such code-signing certificates can still be effective for malicious programs like ABYSSWORKER. Because drivers have kernel access, operating systems such as Windows will still allow drivers with revoked certificates to load because blocking such drivers could negatively impact performance and cause the system to crash.

As a result, drivers have become increasing popular hacking tools in recent years. They provide attackers kernel access and can enable privileged actions, such as terminating the processes of EDR and other security products. Threat actors can develop their own malicious drivers like ABYSSWORKER or engage in "bring your own vulnerable driver" (BYOVD) attacks in which they exploit a flaw in a legitimate driver and use it for malicious activity.

Deleting EDR

In ABYSSWORKER, the driver can manipulate files and processes that terminate or even permanently delete EDR programs. For example, the driver can "blind" EDR products by removing callback notifications registered to specific APIs, François wrote.

A joint cybersecurity advisory from CISA, the FBI and the Multi-State Information Sharing and Analysis Center earlier this month warned that Medusa has hit more than 300 organizations in two years, many of which are in critical infrastructure sectors. The advisory also noted the ransomware gang's use of BYOD attacks to disrupt or delete EDR.

ConnectWise's post said the malicious driver appears to target SentinelOne products in the previous campaign. However, Elastic noted that ABYSSWORKER now targets several different EDR vendors.

Filed Under: Cyberattacks

Editors' picks

Company Announcements

View all | Post a press release
360 Privacy Secures $36 Million Growth Investment from FTV Capital
From 360 Privacy
March 11, 2025
Operant Networks Launches Embedded Zero Trust Security Software for PLCs
From Operant Networks
March 19, 2025
Fathom5’s ARIA Continues Revolutionizing Cyber-Resilient Machinery Control Systems
From Fathom5
March 19, 2025
Editors' picks
Latest in Cyberattacks
Industry Dive is an Informa TechTarget business.
© 2025 TechTarget, Inc. or its subsidiaries. All rights reserved. | View our other publications | Privacy policy | Terms of use | Take down policy.
Cookie Preferences / Do Not Sell
This website is owned and operated by Informa TechTarget, part of a global network that informs, influences and connects the world's technology buyers and sellers. All copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. TechTarget, Inc.'s registered office is 275 Grove St. Newton, MA 02466.