MEDUSA ransomware has introduced a sophisticated threat to organizations by using a malicious driver known as ABYSSWORKER to bypass and disable endpoint detection and response (EDR) systems. This tactic allows the ransomware to operate undetected on infected systems, significantly increasing the damage it can cause. By using this advanced evasion technique, ABYSSWORKER effectively eliminates a critical layer of defense, making it harder for security systems to detect and neutralize the threat. The ABYSSWORKER driver is deployed alongside the HEARTCRYPT-packed loader as part of the MEDUSA ransomware’s multi-stage attack, which heightens the complexity and potency of the malware.
One of the most concerning aspects of ABYSSWORKER is its ability to target and disable EDR systems from multiple vendors.
It uses revoked certificates from Chinese vendors, including companies like Foshan Gaoming Kedeyu Insulation Materials Co. and Fuzhou Dingxin Trade Co., to bypass security mechanisms that check driver signatures. To make the driver appear legitimate, it masquerades as a CrowdStrike Falcon driver, using the company name, file description, and other metadata to mimic a trusted security tool. This deception allows the malware to go unnoticed by conventional security checks that are designed to identify unauthorized or suspicious drivers.
Once deployed, ABYSSWORKER establishes communication with the ransomware’s client process by creating a device object and symbolic link, making it capable of evading detection and interacting with the malware. The driver features a sophisticated client protection mechanism, which prevents other processes from accessing or terminating the ransomware client. The driver can add the client process ID to a protection list and strip access rights from any existing handles to ensure that no external programs can interfere with or stop its operation.
ABYSSWORKER also has the ability to disable EDR protections by removing notification callbacks, replacing major driver functions with dummy implementations, and killing system threads related to security software. These capabilities make it a highly effective tool for evading detection and ensuring that the ransomware remains active on the victim’s system for as long as needed.
