- The researchers spotted the Ransomware operators of Medusa deployment of SMUOL.SYS
- This driver imitates a legitimate crowdsstrike falcon pilot
- Medusa actively targets critical infrastructure organizations
Ransomware Medusa operators engage in the old contribution of your vulnerable (byod), by bypassing the protection, detection and response tools (EDR) (EDR) (EDR) during the installation of the Encryptor.
Elastic Security Labs cybersecurity researchers noted that attacks begin while threat actors abandon an anonymous charger, which deploys two things on the target end: the vulnerable driver and the encryptor.
The driver in question is SMUOL.SYS, and he imitates a legitimate crowdsstrike falconssrike pilot named CSAGENT.SYS. It would also have been signed by a Chinese seller that researchers nicknamed English.
A growing threat
“This charger was deployed alongside a pilot signed with a certificate revoked by a Chinese supplier whom we appointed Abyssworker, which he installs on the victim machine, then uses to target and silence different EDR suppliers,” said Elastic Security Labs in his report.
The use of obsolete and vulnerable drivers to kill the tools to remove antivirus and malware is nothing new. The practice has existed for years and has been used to deploy malware, steal sensitive information, spread viruses, etc.
The best way to mitigate potential threats is to keep your software up to date.
Ransomware Medusa has become one of the most prolific ransomware suppliers as a service (RAAS).
Standing in the shoulder with Lockbit, or Ransomhub, Medusa has taken responsibility for some of the biggest attacks in recent years, which has prompted the United States government to issue a warning concerning its activities.
In mid-March 2025, the FBI, the CISA and the MS-ISAC said that Medusa had targeted more than 300 victims of a “variety of critical infrastructure sectors”, by February 2025.
“In February 2025, the promoters and affiliates of the Medusa had an impact on 300 victims of various sectors of critical infrastructure with affected industries, in particular medicine, education, legal, insurance, technology and manufacturing,” said the report. “The FBI, the CISA and the MS-ISAC encourage organizations to implement the recommendations in the attenuations section of this opinion to reduce the probability and impact of Méduse Ransomware incidents.”
Via The Hacker News
