In ancient Greek mythology, Medusa stands as one of the most iconic and feared figures. With a head full of venomous snakes in place of hair, she had the power to turn anyone who gazed upon her into stone. This Gorgon, once a beautiful maiden, became synonymous with terror and dread.
Fast forward to 2023, and the name Medusa has resurfaced, not in tales of mythology, but in the realm of cybersecurity. Medusa Ransomware, much like its mythological counterpart, paralyzes its victims, holding their data hostage and turning digital systems into metaphorical stone.
Fig. 1. Medusa Ransomware (MedusaLocker) threat actor card
This article aims to shed light on the intricacies of this ransomware, offering a comprehensive understanding of its attacks, targets, and malicious endeavors.
Who is Medusa Ransomware Group?
Since its first sighting in June 2021, Medusa Ransomware (or MedusaLocker) has been on the radar of cybersecurity experts. Operating under the Ransomware-as-a-Service (RaaS) model, the Medusa Ransomware group collaborates with global affiliates, making its reach and impact even more widespread.
Fig. 2. Medusa Ransomware Illustration generated using Bing Image Create
Medusa Ransomware is not just another name in the long list of ransomware threats; it is a multifaceted menace, much like the many serpentine tendrils of Medusa’s hair. Each encrypted file, bearing a variety of extensions, reminds us of the numerous snakes that crowned the Gorgon’s head. The most prominent among these is the unmistakable “.MEDUSA” extension, a signature mark of this ransomware’s venomous touch.
Some of the encrypted file extensions of Medusa Ransomware are:
|
.1btc |
.mylock |
.key1 |
|
.matlock20 |
.jpz.nz |
.fileslocked |
|
.marlock02 |
.marlock11 |
.datalock |
|
.readinstructions |
.cn |
.NZ |
|
.bec |
.NET1 |
.lock |
The reason why there are so many file extensions is probably because there are many more variants of Medusa Ransomware, or MedusaLocker, than other ransomware:
Fig. 3. Variants of Medusa Ransomware over the years (Source: Rakesh Krishnan)
How does Medusa Ransomware Group attack?
Understanding Medusa’s attack strategy is crucial to devising countermeasures. The ransomware predominantly gains access to systems through vulnerable Remote Desktop Protocols (RDP) and deceptive phishing campaigns. Once it breaches a system, Medusa employs PowerShell for command execution, systematically erasing shadow copy backups to prevent data restoration. It does not stop there; the ransomware escalates its system privileges, deactivates defense mechanisms, and spreads its tentacles across the network. The culmination of its attack is the encryption of data and the presentation of a ransom note demanding payment in exchange for decryption.
Medusa Ransomware is observed using a few exploits from 2022:
Fig. 4. CVE’s used by Medusa Ransomware (Source: SOCRadar)
To give an example, Medusa Ransomware exploited the “Type Confusion in V8 in Google Chrome” vulnerability, known as CVE-2022-2295 to launch its malicious attacks, which has high severity.
Fig. 5. CVE-2022-2295’s information card in SOCRadar XTI’s Vulnerability Intelligence page under the CTI module (Source: SOCRadar)
There are multiple variants of Medusa, and the main difference between these variants is the ransom note.
Fig. 6. One of the ransom notes of Medusa Ransomware (Source: ThreatLabz)
While some ransom notes are in TXT format, others can be found in HTML files, it can be said that we have observed that the most current variants have HTML files.
Fig. 7. Ransom note of Medusa Ransomware which is in HTML format
Looking at the various variants of Medusa, we observed that they have the same process trees:
Fig. 8. Process trees of two different Medusa Ransomware Variants (Source: any.run)
Fig. 9. To access IoCs about Medusa ransomware, also known as MedusaLocker, you can visit the Threat Actor/Malware page under the SOCRadar CTI module (Source: SOCRadar)
A Quick Look into Medusa Blog
Medusa Ransomware group shares their victim announcements via Medusa Blog. The header of the page shows Telegram and Twitter links in addition to their logos.
Fig. 10. Main page of Medusa Blog
Some variants have contact information in their Ransom note, which includes an email called “information support”, as well as a Telegram channel with the same name, through which they share the leaked data of their victims:
Fig. 11. Medusa Ransomware’s Telegram Channel info and latest message contains Leaked Files
When clicking on the victim announcement, the victim’s announcement page opens. At the top of the page there is a countdown timer if the data has not been leaked, otherwise it says “PUBLISHED”.
Fig. 12. Information page of Ace Micromatic Group, one of Medusa Ransomware’s victim, in Medusa Blog
The rest of the page contains screenshots of the data Medusa added as evidence and an interactive file explorer.
Fig. 13. One of Medusa’s sample data and interactive file explorer panel of victim data
What are the targets of Medusa Ransomware?
Countries
Considering the countries where the companies attacked by Medusa are located, we infer that the majority of the attacks are in North and South America and Europe.
Fig. 14. Countries affected by Medusa Ransomware (Source: SOCRadar)
Among the countries where the companies targeted by Medusa are located, the majority is the United States, followed by the United Kingdom, which is targeted more than any other country.
Fig. 15. Distribution of Countries affected by Medusa Ransomware (Source: SOCRadar)
Industries
Fig. 16. Distribution of Industries affected by Medusa Ransomware (Source: SOCRadar)
It should also be known that Medusa’s targets are not random; they are carefully chosen for maximum impact. One of its most audacious attacks was against the Minneapolis school district in March 2023. The ransomware group demanded a staggering $1 million, and when the district refused, they retaliated by releasing the stolen data on their TOR site. This incident is a testament to Medusa’s strategy of targeting corporate entities and institutions, ensuring that its attacks create ripples in the global community.
What are the recent activities of Medusa Ransomware?
According to observations, it is possible to say that the Medusa Ransomware group has recently targeted organizations operating in the sector that we can define as Public Administration in Europe.
The International Civil Defense Organization:
Fig. 17. ICDO’s victim announcement card
Sartrouville France:
Fig. 18. Sartrouville France victim announcement card
With the Dark Web News page in SOCRadar’s CTI Module, you can access the latest news about the Medusa Ransomware.
Fig. 19. Dark Web News page of Medusa Ransomware (Source:SOCRadar)
Conclusion
The rise of Medusa Ransomware underscores the evolving nature of cyber threats. Its sophisticated attack vectors, combined with a collaborative RaaS model, make it a significant concern for organizations. As it continues to target and compromise corporate entities, the need for robust cybersecurity measures has never been more paramount.
Security Recommendations against Medusa Ransomware
- Robust Authentication: Implementing strong, unique passwords and multi-factor authentication can act as the first line of defense.
- Regular Audits: Periodically review user accounts, deactivating unused ones, and ensuring that access controls are stringent.
- Software Vigilance: Keeping all software updated can shield against vulnerabilities that ransomware often exploits.
- Data Backups: Regular backups, especially offline ones, can be a lifesaver, ensuring data availability even after an attack.
- Proactive Cybersecurity: Whether it’s an in-house IT team or an outsourced cybersecurity service, continuous monitoring and vulnerability assessments are crucial.
- Emergency Response Blueprint: A well-documented plan detailing the steps post a ransomware attack can expedite recovery and minimize damage.
- Continuous Education: Keeping employees informed about the latest ransomware threats and safe online practices can prevent inadvertent breaches.
MITRE ATT&CK TTPs of Medusa Ransomware
|
Technique |
ID |
|
Initial Access |
|
|
Valid Accounts |
|
|
Phishing |
|
|
External Remote Services |
|
|
Execution |
|
|
Command and Scripting Interpreter: PowerShell |
|
|
Windows Management Instrumentation |
|
|
Persistence |
|
|
Boot or Logon Autostart Execution |
|
|
Privilege Escalation |
|
|
Abuse Elevation Control Mechanism: Bypass User Account Control |
|
|
Defense Evasion |
|
|
Impair Defenses: Disable or Modify Tools |
|
|
Impair Defenses: Safe Mode Boot |
|
|
Credential Access |
|
|
Brute Force |
|
|
Discovery |
|
|
File and Directory Discovery |
|
|
Network Share Discovery |
|
|
Query Registry |
|
|
Lateral Movement |
|
|
Remote Services |
|
|
Command and Control |
|
|
Ingress Tool Transfer |
|
|
Application Layer Protocol: Web Protocols |
|
|
Exfiltration |
|
|
Exfiltration Over Alternative Protocol |
|
|
Impact |
|
|
Service Stop |
Appendix
IoCs of Medusa Ransomware
|
Ransom Note Name |
how_to_recover_data.html |
|
Ransom Note Name |
instructions.html |
|
Ransom Note Name |
READINSTRUCTION.html |
|
Ransom Note Name |
!!!HOW_TO_DECRYPT!!! |
|
Ransom Note Name |
How_to_recovery.txt |
|
Ransom Note Name |
readinstructions.html |
|
Ransom Note Name |
readme_to_recover_files |
|
Ransom Note Name |
recovery_instructions.html |
|
Ransom Note Name |
HOW_TO_RECOVER_DATA.html |
|
Ransom Note Name |
recovery_instruction.html |
|
Payment Wallet |
14oxnsSc1LZ5M2cPZeQ9rFnXqEvPCnZikc |
|
Payment Wallet |
1DRxUFhvJjGUdojCzMWSLmwx7Qxn79XbJq |
|
Payment Wallet |
18wRbb94CjyTGkUp32ZM7krCYCB9MXUq42 |
|
Payment Wallet |
1AbRxRfP6yHePpi7jmDZkS4Mfpm1ZiatH5 |
|
E-Mail Address |
unlockmeplease@protonmail[.]com |
|
E-Mail Address |
support@exorints[.]com |
|
E-Mail Address |
rpd@keemail[.]me |
|
E-Mail Address |
lockPerfection@gmail[.]com |
|
E-Mail Address |
ithelp01@wholeness[.]business |
|
E-Mail Address |
777decoder777@protonmail[.]com |
|
E-Mail Address |
dec_helper@excic[.]com |
|
E-Mail Address |
dec_restore@prontonmail[.]com |
|
E-Mail Address |
bitcoin@sitesoutheat[.]com |
|
E-Mail Address |
best666decoder@tutanota[.]com |
|
E-Mail Address |
best666decoder@protonmail[.]com |
|
E-Mail Address |
encrypt2020@outlook[.]com |
|
E-Mail Address |
decoder83540@cock[.]li |
|
E-Mail Address |
gsupp@onionmail[.]org |
|
E-Mail Address |
encrypt2020@cock[.]li |
|
E-Mail Address |
best666decoder@protonmail[.]com |
|
E-Mail Address |
helper@atacdi[.]com |
|
E-Mail Address |
ithelp@decorous[.]cyou |
|
E-Mail Address |
helptorestore@outlook[.]com |
The post Medusa Ransomware (MedusaLocker) appeared first on SOCRadar® Cyber Intelligence Inc..
Article Link: Medusa Ransomware (MedusaLocker)