- How to set up God Mode in Windows 11 - and the wonders you can do with it
- Linux Kernel 6.13 isn't a major release but's it still important - here's why
- Trump charges DOGE with modernizing federal technology and software
- Russian Ransomware Groups Deploy Email Bombing and Teams Vishing
- How to troubleshoot Linux app startup issues with the journalctl command
Medusa Ransomware: What You Need To Know
What is the Medusa ransomware?
Medusa is a ransomware-as-a-service (RaaS) platform that first came to prominence in 2023. The ransomware impacts organisations running Windows, predominantly exploiting vulnerable and unpatched systems and hijacking accounts through initial access brokers.
Initial access brokers?
Initial access brokers (IABs) specialise in gaining unauthorised access to the networks of organisations, and then sell that access to other cybercriminals – such as ransomware gangs like Medusa.
So the ransomware attackers may not be the ones who initially hacked you?
Correct. IABs may be skilled at breaking into a network, but not necessarily be interested in stealing your data and/or negotiating a ransom. IABs enable ransomware gangs to attack multiple targets simultaneously, helping them to reduce the overall time it takes to deploy ransomware, increase the chances of success, and maximise their profits.
And the attacks aren’t spotted?
Like any other malicious hackers, the Medusa attackers do their best to avoid detection. In the case of Medusa ransomware attacks, they appear to take advantage of the “living off the land” technique, where attackers use legitimate tools and resources already present on a victim’s network to carry out malicious activities. Instead of relying on external malware, this technique mimics legitimate activity and helps the attackers to evade detection.
So Medusa provides a platform for others to carry out ransomware attacks?
Yes, their affiliates use the Medusa platform to launch the attacks, and when a ransom is received, it is shared between the different parties.
And I guess what the ransomware does is the standard fare?
Copies of sensitive files are exfiltrated by the attackers, and the versions left on the victim’s systems are encrypted. The extension .MEDUSA is appended to the end of the names of encrypted files.
The ransomware also makes efforts to make recovery more difficult after an attack, wiping a form of Microsoft Windows data backups called volume shadow copies, and deleting files with backup programs such as Windows Backup.
In addition, virtual disk hard drives (VHDs) used by virtual machines are deleted. A ransom note is left, demanding payment for a decryption of the encrypted files – with the threat that the stolen files will be published if a ransom is not paid by a deadline.
Where are the stolen files published?
Medusa, like many other ransomware gangs, operates a leak site on the dark web. The so-called “Medusa blog” publicises a list of hacked organisations, alongside a countdown informing the victims of their payment deadline.
In addition to the dark web leak site, accessible via Tor, Medusa also publicises hacks and publishes stolen data on its public Telegram channel. Making it more accessible than many other ransomware groups.
What types of organisation does Medusa target?
Medusa targets a wide variety of industry sectors, but judging by those it has listed on its leak website those sectors most affected include high tech, manufacturing, and education. The largest proportion of Medusa’s targets appear to be located in the United States, followed by the United Kingdom, Canada, Australia, France, and Italy. It’s noticeable that organisations based in Belarus, Kazakhstan, Kyrgyzstan, Russia, and Tajikistan do not appear in the list of victims.
Presumably the lack of attacks on CIS countries is quite intentional?
It’s hard to argue otherwise. That’s small consolation, of course, for those organisations based in countries that Medusa has no qualms about attacking.
What organisations have been hit by Medusa?
Past victims have included Minneapolis Public Schools (MPS) district, which failed to pay a million-dollar ransom and saw approximately 92 GB of its stolen data released to the public. It has also bragged about stealing the source code of the Microsoft products Bing Maps and Cortona in the past. Other Medusa ransomware victims have included cancer centres, and British high schools.
And these ransomware victims have had their data leaked by Medusa?
Yes, and not just on the group’s site on the dark web. Medusa has its own “media team” that publicises its leaks, posting on its public Telegram channel, and even going so far as to publish videos showing evidence of stolen data.
So how can my company protect itself from Medusa?
The best advice is to follow the same recommendations on how to protect your organisation from other ransomware. Those include:
- making secure offsite backups.
- running up-to-date security solutions and ensuring that your computers are protected with the latest security patches against vulnerabilities.
- using hard-to-crack unique passwords to protect sensitive data and accounts, as well as enabling multi-factor authentication.
- encrypting sensitive data wherever possible.
- reducing the attack surface by disabling functionality that your company does not need.
- educating and informing staff about the risks and methods used by cybercriminals to launch attacks and steal data.
Editor’s Note: The opinions expressed in this and other guest author articles are solely those of the contributor and do not necessarily reflect those of Tripwire.
