ABYSSWORKER: A New EDR-Killer In Medusa Ransomware Attacks

A new ransomware campaign, Medusa, is being delivered via a HEARTCRYPT-packed loader. The loader deploys a driver, ABYSSWORKER, signed with a revoked certificate, which disables various EDR solutions. ABYSSWORKER, masquerading as a legitimate CrowdStrike Falcon driver, uses obfuscation techniques and registers callbacks to monitor process creation, image loading, and handle creation, protecting the client process.

*****
Written on