Cybercriminals Use Custom Drivers to Disable EDR for MEDUSA Ransomware

- Reported on March 20, cybercriminals are increasingly using their own drivers to disable endpoint detection and response (EDR) systems, either by exploiting vulnerable legitimate drivers or deploying custom-built ones. - A recent financially motivated campaign observed by Elastic Security Labs involved MEDUSA ransomware delivered via a HEARTCRYPT-packed loader. This loader installs a malicious driver, ABYSSWORKER, signed with stolen certificates from Chinese vendors, to bypass EDR protections. - The driver uses various obfuscation techniques, brute-force methods to strip process handles, and DeviceIoControl handlers to execute a range of malicious actions, such as deleting files, disabling security software, and terminating system threads. - The malware enables these capabilities through a hardcoded password and an API-loading mechanism that grants it extensive control over system processes. - Additionally, it employs callback removals and function replacements to blind EDRs, making detection and prevention more challenging.