Medusa ransomware outbreak reveals data leaks and multi-extortion approaches

Medusa Ransomware is a new ransomware group that is growing its activities. A report published on January 11 by Palo Alto Networks’ Unit 42 states that the group has started a blog where victims may choose from a range of payment options.

Medusa Blog allows the group to post information they have stolen, with the warning that the data can be released if the victim fails to satisfy the group’s ransom demands.

According to Palo Alto Networks Unit 42 researchers Anthony Galiette and Doel Santos:

As part of their multi-extortion strategy, this group will provide victims with multiple options when their data is posted on their leak site, such as time extension, data deletion or download of all the data. All of these options have a price tag depending on the organisation impacted by this group.

Early in 2023, Medusa gained attention as a ransomware-as-a-service (RaaS) platform, having first appeared in late 2022. Windows environments have been its main area of interest. It’s significant to note that Medusa is not the same as MedusaLocker, another RaaS that has been working since 2019.

Recently, their activities have increased significantly, as seen by the unveiling of the new Medusa Blog. The cybercriminals launched this blog on an .onion domain via TOR in early 2023.

Medusa blog onion site
Medusa blog onion site

Medusa ransomware uses a manipulative technique, putting victims under pressure by displaying a negotiable ransom amount. A countdown increases the sensation of urgency by displaying the time remaining until data is released. The public release of victim information raises the risk.

Exposing the Network Access Techniques of the Medusa Ransomware

The Medusa ransomware group mostly uses public-facing sites or apps with known unpatched vulnerabilities to spread its malicious malware. Additionally, they actively involved in the theft of authentic accounts, often using initial access brokers to get access.

An attacker used a vulnerability in a recent hack on a Microsoft Exchange Server. The attackers used a web shell to install and run ConnectWise’s remote monitoring and management (RMM) software.

It is important to highlight the effect of attacks on living-off-the-land (LotL) activities while talking about them. They can blend in with normal activity with such approaches, making it difficult to identify them. There’s also a new technique that uses two kernel drivers to uninstall security programmes on a predetermined list in a systematic way.

The detection and reconnaissance of the compromised network come before the first access phase. The attackers then use ransomware to list and encrypt all files, with the exception of those ending in .exe, .lnk, .dll, and .medusa.

According to statistics from its leak site, the Medusa ransomware caused havoc in 74 organisations throughout the world in 2023. The industries most affected include manufacturing, education, and high technology.

The wide range of companies that have been attacked highlights the group’s exploitative actions and is consistent with the general approach taken by ransomware attacks. The Medusa ransomware demonstrates an unusual lack of boundaries by targeting many industries as targets rather than limiting itself to just one.

The Effects of the Medusa Ransomware on Different Industries
The Effects of the Medusa Ransomware on Different Industries

The continuing rise of ransomware creates a widespread risk that impacts several industries including technology, healthcare, and critical infrastructure. The cybercriminals, showing a growing number of confidence, go beyond just making the targeted organisations publicly known. They now use strategies that include explicit risks of harm to people and even set up special channels for public relations.

Unit 42 claims that Medusa manages advertising with a specialised media team and runs a public Telegram channel named “information support.” This channel, which started in July 2021, allows for the transfer of files from hacked organisations that are available via the clearnet.

The recent release of the Medusa ransomware highlights how important it is for businesses to have cautious and strong security measures. The criminal group poses a serious risk to organisations worldwide with its competent methods, which include the use of sophisticated tools and many extortion strategies.

Phishing Tackle offers a free 14-day trial to help train your users to avoid these types of attacks and test their knowledge with simulated attacks using various attack vectors. By focusing on training your users to spot these types of attacks, rather than relying solely on technology (none of which can spot 100% of phishing emails), you can ensure that your organisation is better prepared to defend against cyber threats and minimise the impact of any successful attacks. 

Recent posts