Analysis Summary

The MEDUSA ransomware operation has been observed using a highly sophisticated malicious driver known as ABYSSWORKER to disable endpoint detection and response (EDR) systems, significantly enhancing its stealth and effectiveness. This driver is deployed alongside a HEARTCRYPT-packed loader as part of the ransomware attack chain, with a primary objective of evading security mechanisms.

According to the Researcher, ABYSSWORKER specifically targets EDR vendors, neutralizing their defenses and allowing the ransomware to operate undetected. Notably, the driver is signed with revoked certificates from Chinese companies, helping it bypass security checks that verify driver signatures. Additionally, it masquerades as a legitimate CrowdStrike Falcon driver, leveraging deceptive metadata such as company names and file descriptions to appear authentic.

Once deployed, ABYSSWORKER establishes a device object and symbolic link for communication with its client process, creating a concealed and persistent channel for malicious activities. The driver creates the device "\device\czx9umpTReqbookF" and assigns a symbolic link "??\fqg0Et4KlNt4s1JT," enabling covert interactions. A crucial capability of this driver is its sophisticated client protection mechanism, which prevents other processes from accessing or terminating the malware client. It does so by adding the client process ID to a protection list while stripping access rights from existing handles targeting the malware. This ensures that security solutions are unable to detect or neutralize the ransomware, allowing it to execute its payload without interference.

ABYSSWORKER is also equipped with various DeviceIoControl handlers that enable different malicious functionalities through specific IO control codes. For instance, control code 0x222080 activates the malware after verifying a hardcoded password, while 0x222400 removes security callbacks and devices by module name. Additionally, the driver supports commands for copying files (0x222184), terminating processes (0x222144), and even rebooting the compromised system (0x222664). Most critically, it can dismantle EDR protections by erasing security notification callbacks, replacing driver major functions with dummy implementations, and terminating system threads associated with security software. Furthermore, it detaches MiniFilter devices responsible for monitoring file system activity, effectively blinding security mechanisms.

Given the severity of this threat, the Researcher has released YARA rules to help organizations detect and mitigate the ABYSSWORKER driver. The ability of this malware to manipulate system processes, disable EDR solutions, and disguise itself as a legitimate security driver makes it a significant risk to enterprise security. Organizations must implement robust detection strategies, regularly update security defenses, and leverage advanced threat intelligence solutions to counteract the evolving tactics of the MEDUSA ransomware group.

Impact

• Security Bypass
• File Encryption
• Privilege Escalation
• Compromised System

Indicators of Compromise

MD5

• 988d7cdc386b2731acc86bbc883e5f31

• 9e82ee5bde6b5d29281a3c280e6d1f2e

SHA-256

• 6a2a0f9c56ee9bf7b62e1d4e1929d13046cd78a93d8c607fe4728cc5b1e8d050

• b7703a59c39a0d2f7ef6422945aaeaaf061431af0533557246397551b8eed505

SHA-1

• 9beea553275b92485fd80e06d27477a2d3656a26

• 75f85caea52fe5a124fa77e2934abd3161690add

Remediation

• Block all threat indicators at your respective controls.
• Search for indicators of compromise (IOCs) in your environment utilizing your respective security controls.
• Deploy next-gen EDR solutions that can detect and respond to driver-based attacks.
• Enable behavior-based anomaly detection to identify suspicious activities even if the malware is signed.
• Regularly check for unauthorized drivers masquerading as legitimate security software.
• Implement kernel-mode monitoring to detect unauthorized driver loading attempts.
• Restrict driver installation permissions to prevent rogue drivers from being loaded.
• Enforce least privilege access for system-level processes.
• Monitor for unexpected modifications to security software processes.
• Ensure operating systems, security tools, and drivers are fully updated.
• Revoke and blacklist compromised or revoked digital certificates to prevent exploitation.
• Use network segmentation to limit the spread of ransomware.
• Deploy intrusion detection/prevention systems (IDS/IPS) to detect malicious driver-related activities.
• Monitor for unusual outbound traffic, which may indicate ransomware activity.
• Maintain frequent, offline, and immutable backups to prevent data loss.
• Develop and test incident response plans to quickly isolate and remediate infected systems.
• Educate employees on ransomware tactics to reduce the risk of social engineering attacks.