TZUTC: -0500   
   MSGID: 647.consprcy@1:2320/105 2c47f1db   
   PID: Synchronet 3.20a-Linux master/acc19483f Apr 26 202 GCC 12.2.0   
   TID: SBBSecho 3.20-Linux master/acc19483f Apr 26 2024 23:04 GCC 12.2.0   
   BBSID: CAPCITY2   
   CHRS: ASCII 1   
   Medusa ransomware is able to disable anti-malware tools, so be on your guard   
      
   Date:   
   Mon, 24 Mar 2025 16:13:10 +0000   
      
   Description:   
   Medusa is bringing its own vulnerable driver that helps it kill EDR solutions   
   before deploying the encryptor.   
      
   FULL STORY   
   ======================================================================   
    - Research ers spot Medusa ransomware operators deploying smuol.sys   
    - This driver mimics a legitimate CrowdStrike Falcon driver   
    - Medusa is actively targeting critical infrastructure organizations   
      
   Operators of the Medusa ransomware are engaging in old-fashioned   
   bring-your-own-vulnerable-driver (BYOD) attacks, bypassing endpoint    
   protection , detection and response (EDR) tools while installing the   
   encryptor.    
      
   Cybersecurity researchers Elastic Security Labs noted the attacks start as    
   the threat actors drop an unnamed loader, which deploys two things on the   
   target endpoint: the vulnerable driver, and the encryptor.    
      
   The driver in question is smuol.sys, and it mimics a legitimate CrowdStrike   
   Falcon driver named CSAgent.sys. It was also said to have been signed by a   
   Chinese vendor the researchers dubbed ABYSSWORKER.    
      
   A growing threat   
      
   "This loader was deployed alongside a revoked certificate-signed driver from    
   a Chinese vendor we named ABYSSWORKER, which it installs on the victim    
   machine and then uses to target and silence different EDR vendors," Elastic   
   Security Labs said in its report.    
      
   Using outdated and vulnerable drivers to kill antivirus and malware removal   
   tools is nothing new. The practice has been around for years and is being    
   used to deploy malware, steal sensitive information, propagate viruses, and   
   more.    
      
   The best way to mitigate potential threats is to keep your software updated.    
      
   Medusa ransomware has grown into one of the most prolific   
   Ransomware-as-a-service (RaaS) providers around.    
      
   Standing shoulder to shoulder with LockBit, or RansomHub, Medusa has taken   
   responsibility for some of the biggest attacks in recent years, prompting the   
   US government to issue a warning about its activities.    
      
   In mid-March 2025, the FBI, CISA, and MS-ISAC said Medusa targeted more than   
   300 victims from a variety of critical infrastructure sectors, by February   
   2025.    
      
   "As of February 2025, Medusa developers and affiliates have impacted over 300   
   victims from a variety of critical infrastructure sectors with affected   
   industries including medical, education, legal, insurance, technology, and   
   manufacturing," the report says. "FBI, CISA, and MS-ISAC encourage   
   organizations to implement the recommendations in the Mitigations section of   
   this advisory to reduce the likelihood and impact of Medusa ransomware   
   incidents."    
      
    Via The Hacker News   
      
   ======================================================================   
   Link to news story:   
   https://www.techradar.com/pro/security/medusa-ransomware-is-able-to-disable-an   
   ti-malware-tools-so-be-on-your-guard   
      
   $$   
   --- SBBSecho 3.20-Linux   
    * Origin: capitolcityonline.net * Telnet/SSH:2022/HTTP (1:2320/105)   
   SEEN-BY: 105/81 106/201 128/187 129/305 153/7715 154/110 218/700 226/30   
   SEEN-BY: 227/114 229/110 111 114 206 300 307 317 400 426 428 470 664   
   SEEN-BY: 229/700 705 266/512 291/111 320/219 322/757 342/200 396/45   
   SEEN-BY: 460/58 712/848 902/26 2320/0 105 3634/12 5075/35   
   PATH: 2320/105 229/426