Medusa disables anti-malware with signed malware
Researchers at Elastic Security Labs have uncovered a sophisticated new tactic used by the Medusa ransomware gang. The group disables anti-malware tools using malicious drivers signed with stolen certificates. This technique gives attackers elevated access and allows them to bypass security measures entirely before encrypting their victim’s systems.
A signed driver with malicious intent
At the core of this campaign is a kernel-mode driver that appears legitimate thanks to stolen digital certificates. These certificates, originally issued to trusted software vendors, allow the driver to load without raising alarms in Windows. Once active, the driver disables endpoint protection systems, such as antivirus and EDR tools, leaving the system wide open to attack.
This makes Medusa’s ransomware not only more dangerous, but significantly harder to detect or stop in time. With security software neutralised, the ransomware can encrypt files, delete backups, and leave behind a ransom note without interference.
Trust as a weapon
Digitally signed drivers are typically treated as safe by default. Medusa exploits this trust by using stolen certificates to sneak malicious components into the system. It’s a tactic that abuses the very mechanisms designed to keep users safe.
The malicious driver is built to terminate or impair a broad range of security products. This isn’t a blunt tool. It’s a tailored weapon that reflects a deep understanding of how modern defences operate and how to take them offline quietly.
The evolution of Medusa
Medusa has been active in the ransomware space for several years, operating under a ransomware-as-a-service (RaaS) model. Their victims span multiple industries, and their methods have steadily grown more advanced. This latest tactic, disabling defences at the kernel level, marks a significant step forward in their capabilities. Curious about how the RaaS model fuels cybercrime? Explore our guide on ransomware-as-a-service.
The group typically gains initial access through phishing emails or exposed RDP endpoints. From there, they deploy the malicious driver to disable security tools and then launch the ransomware payload to encrypt systems. Want to understand how phishing attacks work and how to avoid them? Dive into our phishing guide.
What defenders can do
This attack is a reminder that digital trust, including signed certificates, can be weaponised. To stay ahead of threats like this, security teams should:
-
Monitor driver installations for unusual or recently signed drivers, even if they appear legitimate.
-
Enable advanced OS-level protections, such as Microsoft’s HVCI (Hypervisor-Protected Code Integrity), to block untrusted kernel-mode drivers.
-
Use behaviour-based detection in endpoint tools to catch suspicious activity that may bypass signature-based detection.
-
Audit and limit certificate use, especially when relying on third-party drivers or tools.
Final thoughts
Medusa’s use of stolen certificates and signed malware highlights how attackers continue to innovate. By turning trusted components into weapons, they dismantle security from within.
To stay protected, defenders must respond with vigilance and layered defences. Because in today’s threat landscape, even signed code can’t always be trusted.
Sarah Krarup
Sarah studies innovation and entrepreneurship with a deep interest in IT and how cybersecurity impacts businesses and individuals. She has extensive experience in copywriting and is dedicated to making cybersecurity information accessible and engaging for everyone.
View all posts by Sarah Krarup
