Share This:

Cybersecurity Threat AdvisoryThe Medusa ransomware-as-a-service (RaaS) operation has recently been observed using a malicious driver named ABYSSWORKER in Bring Your Own Vulnerable Driver (BYOVD) attacks. This technique allows threat actors to disable security software by exploiting legitimate, vulnerable drivers to gain kernel-level privileges. Continue reading this Cybersecurity Threat Advisory for information on how to limit the impact of this threat.

What is the threat?

The group behind Medusa ransomware is known for aggressive tactics, including double extortion. A critical tool in their arsenal is the ABYSSWORKER driver, which is loaded into the operating system’s kernel. Once active, the driver exploits vulnerabilities to gain elevated privileges, giving attackers system-level control.

Why is it noteworthy?

Medusa affiliates gain initial access via phishing, exploiting vulnerabilities, or brute-force attacks. They use ABYSSWORKER as a signed driver, bypassing security checks through a stolen or vulnerable certificate. Once in the kernel, it disables Endpoint Detection and Response (EDR) and antivirus (AV) software, evades detection by tampering with system logs, and allows the deployment of the ransomware payload. The malware encrypts files, appends a unique extension, and demands ransom for decryption, often stealing sensitive data to further pressure victims.

What is the exposure or risk?

With kernel-level privileges, ABYSSWORKER can disable security solutions and evade detection, allowing attackers to maintain long-term access. This leads to operational disruption, data loss, and financial damage from ransom demands. If attackers compromise third-party vendors, they can spread the malicious driver to multiple victims.

What are the recommendations?

Barracuda recommends the following actions to limit the impact of Medusa ransomware attacks:

  • Enable Windows Defender Application Control (WDAC) or Hypervisor-Protected Code Integrity (HVCI) to block untrusted drivers.
  • Implement strict driver signing policies.
  • Use advanced Endpoint Detection & Response solutions, such as Barracuda Managed XDR Endpoint Security, to detect and prevent kernel-level attacks.
  • Segment the network to limit the lateral movement of attackers.
  • Maintain regular, offline backups of critical data.
  • Restrict user privileges to minimize the impact of compromised accounts.
  • Keep all software and drivers current to prevent exploitation of known vulnerabilities.

Reference

For more in-depth information about the recommendations, please visit the following links:

https://thehackernews.com/2025/03/medusa-ransomware-uses-malicious-driver.html

If you have any questions about this Cybersecurity Threat Advisory, don’t hesitate to get in touch with Barracuda Managed XDR’s Security Operations Center.


Share This:
Stacey Landrum

Posted by Stacey Landrum

Stacey is a Cybersecurity Analyst at Barracuda. She's a security expert, working on our Blue Team within our Security Operations Center. Stacey supports our XDR service delivery and is highly skilled at analyzing security events to detect cyber threats, helping keep our partners and their customers protected.

All Posts

Leave a reply

Your email address will not be published. Required fields are marked *