Medusa Ransomware: A new threat to businesses
Medusa is a ransomware-as-a-service (RaaS) platform that emerged in 2023 and is quickly becoming a serious threat to organizations worldwide. Here are the key points about Medusa that you need to know:
How Medusa Works
Medusa operates as a RaaS service, providing malware and infrastructure to affiliates to carry out disruptive ransomware attacks.
This group primarily targets organizations using Windows, exploiting vulnerable and unpatched systems.
Medusa often does not infiltrate victim networks on its own. Instead, they purchase access from initial access brokers (IABs).
"Living off the land" techniques are used to avoid detection. They leverage legitimate tools and available resources within the victim's network to conduct illegal activities.
Attack Method
Medusa often uses phishing campaigns and targeted emails with malicious attachments to distribute malware.
They have also been observed using initial access brokers to gain access to target networks.
Medusa exploits legitimate services like remote management and monitoring software ConnectWise and PDQ Deploy to evade detection by security teams.
Impact of the Attack
Sensitive data is stolen and encrypted with the extension .MEDUSA or .mylock added to the end of file names.
Medusa attempts to make recovery after the attack more difficult by deleting Windows data backups and removing files related to backup programs.
Virtual hard disks (VHDs) used by virtual machines are also deleted.
Medusa's Targets
Medusa targets various sectors, including healthcare, education, manufacturing, and retail.
Most of Medusa's victims seem to be in the United States, followed by the United Kingdom, Canada, Australia, France, and Italy.
Notably, organizations based in Belarus, Kazakhstan, Kyrgyzstan, Russia, and Tajikistan do not appear on the victim list, suggesting that this absence might be intentional.
Online Activities of Medusa
Medusa maintains a "name-and-shame" blog accessible through Tor, where they publish details about affected organizations and provide summaries of stolen or leaked data.
The group also maintains an unusual online presence on both the dark web and clear web, including the website osintcorp.net and accounts on X and Telegram.
How to Protect Your Organization from Medusa
To protect your organization from Medusa malware and other ransomware types, you should take the following measures:
Create secure off-site backups.
Use up-to-date security solutions and ensure computers are protected with the latest patches.
Use strong, unique passwords to protect sensitive data and accounts, and enable multi-factor authentication.
Encrypt sensitive data whenever possible.
Reduce the attack surface by disabling functions that the company does not need.
Educate and inform employees about the risks and methods cybercriminals use to launch attacks and steal data.
