Driver-Based Ransomware Tactics

The report describes Medusa using a malicious, signed driver (ABYSSWORKER / smuol.sys) in a BYOVD attack—delivered via a HeartCrypt-packed loader and masquerading as a CrowdStrike component—to disable endpoint detection and response tools and enable stealthy ransomware deployment; it also details RansomHub’s use of the Betruger backdoor for reconnaissance and privilege escalation, reflecting a trend toward low-level, evasive tactics in modern ransomware operations.