Summary: The Medusa ransomware operation employs a malicious driver, ABYSSWORKER, in a BYOVD attack to disable anti-malware tools. This driver uses stolen certificates to pose as a legitimate system driver, allowing it to bypass security measures and enable detailed control over the attacker’s actions. Additionally, a new backdoor called Betruger has been associated with RansomHub, enhancing their ransomware’s capabilities without relying solely on traditional encrypting payloads.
Affected: Organizations using endpoint detection and response (EDR) systems; Windows systems.
Keypoints :
- The driver ABYSSWORKER targets and silences various EDR vendors, effectively disabling their protective measures.
- Malware signed with stolen certificates provides a deceptive trust layer, allowing it to evade detection by security tools.
- The Betruger backdoor is notable for combining several malicious functionalities, reducing the need for multiple tools during ransomware preparations.
- Threat actors exploit vulnerable legitimate drivers to gain elevated privileges for further system control and data exfiltration.
Source: https://thehackernews.com/2025/03/medusa-ransomware-uses-malicious-driver.html