Medusa (Ransomware) – Malware

Overview

Medusa ransomware, which first surfaced in June 2021, has quickly emerged as a significant threat in the cybersecurity landscape. Unlike its namesake, MedusaLocker, this variant operates under a Ransomware-as-a-Service (RaaS) model, leveraging a global network of affiliates to expand its reach and impact. Medusa’s rapid evolution and sophisticated attack strategies have made it a prominent player in the realm of cybercrime, targeting a diverse range of industries with increasing frequency. Distinctive for its multi-faceted approach, Medusa ransomware is notable for its use of varied file extensions and aggressive encryption techniques. Each encrypted file typically carries the “.MEDUSA” extension, a hallmark of the ransomware’s operations. Medusa’s tactics include exploiting vulnerabilities in Remote Desktop Protocols (RDP) and employing deceptive phishing schemes to gain initial access. Once inside, it employs PowerShell scripts for command execution and systematically deletes shadow copy backups to obstruct data recovery efforts. The Medusa ransomware group operates through a TOR-based website, where they post ransom demands and evidence of stolen data. This site serves as a platform for negotiating with victims and showcasing their stolen information. Medusa’s primary targets are organizations across North and South America and Europe, with particular emphasis on high-value targets in the United States and the United Kingdom.

Targets

Information. Finance and Insurance. Educational Services.

How they operate

Initial Access and Exploitation

Medusa ransomware primarily infiltrates systems through the exploitation of known vulnerabilities in public-facing applications. One common vector is the Remote Desktop Protocol (RDP), which is often targeted through brute force attacks or by exploiting weak or compromised credentials. Additionally, Medusa may leverage unpatched vulnerabilities in applications such as web servers or email systems to gain initial access. In some cases, the ransomware operators utilize legitimate accounts that have been hijacked or acquired through other means, facilitating unauthorized access to the victim’s network.

Execution and Persistence

Once inside the network, Medusa ransomware employs various methods to execute its payload and establish persistence. The ransomware utilizes PowerShell scripts to execute commands and perform malicious actions across compromised systems. To ensure it remains active even after initial execution, Medusa creates or modifies system processes, embedding itself deeply into the victim’s environment. This can involve setting up tasks or services that will restart the ransomware if it is interrupted or removed.

Privilege Escalation and Defense Evasion

Medusa’s operators use several techniques to escalate privileges and gain higher levels of access within the compromised network. This can include exploiting system vulnerabilities or leveraging stolen credentials to gain administrative rights. To evade detection, Medusa employs sophisticated defense evasion tactics. The ransomware often uses obfuscated code and packed executables with deceptive headers to avoid triggering security alerts. Additionally, it deletes or manipulates logs and other indicators to obscure its presence and actions from security monitoring systems.

Lateral Movement and Data Collection

After establishing a foothold, Medusa ransomware spreads laterally across the network to maximize its impact. This is achieved through remote services and exploiting existing network connections. The ransomware employs network scanning tools to discover additional systems and gather information about the network topology. During this phase, Medusa collects valuable data from compromised systems, including sensitive or proprietary information that is targeted for exfiltration.

Encryption and Ransom Demands

The core of Medusa’s attack is its encryption mechanism. The ransomware uses a combination of RSA asymmetric encryption and AES256 encryption to lock files on the victim’s system. Encrypted files are renamed with a distinctive “.medusa” extension, marking them as inaccessible without the decryption key. Medusa’s operators demand a ransom for the decryption key, with threats to publish or sell the stolen data if the ransom is not paid. This double extortion tactic increases pressure on victims to comply with demands.

Exfiltration and Communication

Medusa ransomware also involves a significant exfiltration component. Stolen data is transmitted to the attackers’ command and control servers, often using encrypted communication channels to avoid detection. The ransomware’s TOR website serves as a platform for ransom negotiations, where victims are provided with instructions on how to contact the attackers and pay the ransom. The website often includes evidence of stolen data to demonstrate the seriousness of the threat and incentivize payment. Understanding these operational mechanics is crucial for developing effective defenses against Medusa ransomware. Organizations should focus on securing their networks, applying patches, monitoring for unusual activity, and maintaining robust backup strategies to mitigate the risk of such attacks. By staying informed and prepared, businesses can better protect themselves from the evolving threat of ransomware.

MITRE Tactics and Techniques

Initial Access

T1190: Exploit Public-Facing Application – Medusa often gains initial access by exploiting vulnerabilities in publicly accessible services, such as unpatched RDP or web servers. T1078: Valid Accounts – The ransomware may use stolen or compromised credentials to gain access to systems.

Execution

T1059: Command and Scripting Interpreter – Medusa utilizes PowerShell scripts for executing commands and performing malicious actions on compromised systems.

Persistence

T1543: Create or Modify System Process – The ransomware may create or modify system processes to ensure it remains active on the infected system.

Privilege Escalation

T1068: Exploitation for Client Execution – Medusa can exploit system vulnerabilities to escalate privileges and gain higher levels of access.

Defense Evasion

T1203: Exploitation for Client Execution – Employs various techniques to avoid detection, such as using obfuscated code and packing executables with fake headers. T1070: Indicator Removal on Host – Deletes or manipulates logs to hide its activities from security monitoring.

Credential Access

T1003: Credential Dumping – May involve techniques to extract credentials from compromised systems to facilitate further attacks or lateral movement.

Discovery

T1018: Remote System Discovery – Utilizes network scanning tools to identify and map out systems within the network.

Lateral Movement

T1021: Remote Services – Moves laterally across the network using compromised credentials or exploited vulnerabilities.

Collection

T1119: Automated Collection – Collects data from infected systems, including sensitive information targeted for exfiltration.

Exfiltration

T1041: Exfiltration Over Command and Control Channel – Transmits stolen data to the attacker’s command and control servers, often using encrypted channels.

Impact

T1486: Data Encrypted for Impact – Encrypts files on the victim’s system and demands a ransom for decryption. T1553: Hide Artifacts – May use techniques to hide its presence and activities from security tools.

References:

• Medusa Ransomware: What You Need to Know