Medusa Ransomware Brings Its Own Vulnerable Driver

Hackers Use Stolen Certificates to Bypass Endpoint Detection and Response Prajeet Nair (@prajeetspeaks) • March 24, 2025

A Russian-speaking ransomware group has been deploying a malicious Windows PE driver that imitates a legitimate CrowdStrike Falcon driver to bypass endpoint security, researchers warn.

See Also: Financial & Banking Services: Cybersecurity Trends from Expel’s 2025 Annual Threat Report

"Bring Your Own Vulnerable Driver" is a well-trod method hackers use to disable security tools and the Medusa ransomware operation has apparently taken to it since last August, researchers from Elastic said.

Samples found of the driver on VirusTotal, named smul.sys, were signed likely using stolen, revoked certificates from Chinese companies. Medusa has been active since mid-2021 and recently has been on the cutting edge of shakedown tactics through its use of a triple extortion scam meant to coerce victims into paying for a decryptor twice over, the U.S. federal government warned ...