Medusa ransomware targets critical infrastructure, disabling protections

Medusa ransomware is a harmful program that can disable anti-malware tools. It uses a vulnerable driver called smuol.sys to bypass security systems and deploy its encryption tool. Researchers found that this driver looks like a legitimate one from a well-known security company. The attack begins with hackers dropping a loader onto the target system. This loader installs the vulnerable driver and then the ransomware itself. Medusa ransomware is particularly focused on critical infrastructure organizations, putting many sectors at risk. Elastic Security Labs reported that the attacker can silence different endpoint protection solutions using this method. While using outdated drivers for attacks is not new, it is a growing threat. Keeping software up to date is crucial to defend against such attacks. Medusa has become a major player in the ransomware scene, joining others like LockBit. In March 2025, the FBI and other agencies revealed that Medusa has targeted over 300 victims, including those in healthcare, education, legal, and manufacturing sectors. Authorities recommend that organizations follow protective measures to reduce the risk of Medusa ransomware incidents.