What is Medusa Ransomware?
Emerging in late 2021, Medusa ransomware has quickly established itself as a significant threat in the cybersecurity arena. This highly aggressive malware utilizes a double extortion strategy, paralysing victims by encrypting their data while simultaneously threatening to expose it on the dark web if ransom demands are not fulfilled.
The Red Piranha Team actively collects information on organisations globally affected by ransomware attacks from various sources, including the Dark Web. The Medusa ransomware group is the most active, accounting for 21% of the updated victims spread across various countries.
Although the origins of Medusa remain largely obscure, cybersecurity experts suspect a connection to the cybercriminal group UNC7885. This group has a known track record of deploying ransomware and other sophisticated malware, indicating a high level of expertise behind Medusa's creation, and spread.
Medusa ransomware maintains a leak site on the dark web where they threaten to publish stolen data if the ransom is not paid.
Figure 1: Medusa Ransomware Leak Site
Figure 2: Medusa Ransomware Encryption Message
The above image is displaying the Ransom note. Medusa’s ransom notes are notorious for their menacing tone, clearly outlining the double extortion threat by demanding payment to prevent the public release of stolen data.
What are Tactics, Techniques, and Procedures (TTPs) of Medusa Ransomware Group?
Medusa is far from a one-trick pony; it boasts a versatile and dangerous array of tactics, techniques, and procedures (TTPs) to infiltrate and compromise systems. Here is an overview of its malicious toolkit:
Medusa is a sophisticated ransomware with a diverse set of tactics to infiltrate and compromise systems. It often begins with phishing attacks, tricking users into clicking malicious links or downloading infected attachments disguised as legitimate communications.
Medusa also exploits unpatched vulnerabilities in software and operating systems to gain unauthorized access, emphasizing the need for timely security updates. Additionally, it targets weak Remote Desktop Protocol (RDP) configurations and uses brute-force attacks to crack login credentials.
Once inside, Medusa employs lateral movement to spread across networks, potentially compromising critical systems, and utilizes living-off-the-land techniques by exploiting legitimate system tools to evade detection.
Before encrypting files, it often engages in data exfiltration, stealing sensitive information to increase ransom pressure. Finally, the ransomware group uses robust encryption to lock down files, making decryption nearly impossible without the attacker's key, forcing victims to consider paying the ransom.
What is the Kill Chain of Medusa Ransomware Group?
Figure 3: Medusa Ransomware Kill Chain
The method via which cybercriminals execute cyberattacks is known as the "cyber kill chain." The figure 3 shows how the Medusa ransomware group carries out their attacks. Indicators of Compromise (IOCs) are forensic data points that signal potential malicious activity within a network or system.
These can include file hashes, IP addresses, domain names, URLs, email addresses, registry keys, file names, and unusual behavioural patterns. The table above shows the Indicators of Compromise (IOCs) of the Medusa Ransomware group.
Here is a breakdown of each section:
The Medusa Ransomware group employs a structured and multi-stage approach to execute its attacks, as outlined in the provided kill chain table.
The attack begins with the Execution phase, where the group utilizes the technique of User Execution (T1204.002). This involves tricking users into initiating the ransomware by interacting with a malicious file or link, often through phishing or other social engineering methods.
Once inside the system, Medusa shifts focus to Defence Evasion, employing techniques such as Impair Defences: Disable or Modify Tools (T1562.001), which involves disabling or altering security tools to avoid detection.
Additionally, the group uses Indicator Removal: File Deletion (T1070.004) to erase any evidence of the attack, making it harder for forensic teams to trace their activities.
Following these evasive actions, Medusa proceeds to the Discovery phase with the technique File and Directory Discovery (T1083). During this stage, the ransomware scans the victim's system to identify valuable or sensitive files and directories that could be targeted for encryption or data exfiltration.
The final step in Medusa’s kill chain is the Impact phase, where the technique Data Encrypted for Impact (T1486) is employed. Here, the ransomware encrypts the identified files, rendering them inaccessible to the victim, and subsequently demands a ransom in exchange for the decryption key.
This methodical approach highlights Medusa's use of sophisticated tactics to compromise systems, evade detection, and maximize the impact of their ransomware operations.
Indicators of Compromise (IOCs)
|
Indicators
|
Indicator Type
|
Description
|
|
2919a13b964c8b006f144e3c8cc6563740d3d242f44822c8c44dc0db38137ccb85ebf
6330039de69dbef1a4860274f21d8b980adb9c3d8385873c5d697c61685e514935ab
07b29ca1ee9eedaf699de202ada70e29b4fc4618908b8ca8b3f83ef290eb466684817
2a03c9c5123c004278647e8f5445a7d4e9c29a9ecc58c1b3294654f4cbd9e3910f490
1493b9774d978060f1c9a9489612b66d66ee61667f60f4d4df87cf8d8551d836f67fbd
e4337863bac3ff6b5cb324675054ea023b12ab6657c0cce98d6e73e53b4001eeea51e
d91fdcf3d47a18712b6ba9c66d596779807d68da8aa78929bb467682ddb080e750ed0
7cd21b1ee7a9f38cf2810eeb9cb959144a60ac86d4c91f7553768d9bef848acd3bd9fe
3e599b7ea2024a8a3115669736de79e0a2d08156bae608b2a3e63336829d59d38d61
907642149a566ebd270
|
Hash |
Medusa Ransomware |
|
Medusakxxtp3uo7vusntvubnytaph4d3amxivbggl3hnhpk2nmus34yd[.]onion medusaxko7jxtrojdkxo66j7ck4q5tgktf7uqsqyfry4ebnxlcbkccyd[.]onion
|
URLs (Onion) |
Leak Site |
|
Disability[.]su Franchessko[.]top Ircnews[.]wang Kjnsfiosgjnlorgiko[.]ru Mhforum[.]biz Missyiurfound[.]bid scam-financial[.]org sgsdgsdger[.]ru troyamylove[.]gdn wooow1[.]ru youframegood[.]ru
|
URLs |
Command-and-Controls |
How does Red Piranha Detect and Prevent attacks of Medusa Ransomware?
Red Piranha’s Crystal Eye, best-in-class Threat Detection, Investigation and Response (TDIR) platform is uniquely equipped to prevent and detect attacks from the Medusa Ransomware Group by addressing each phase of Medusa's kill chain with precision.
Starting with the Execution phase, where Medusa often relies on user interaction through phishing or social engineering, Crystal Eye's integrated email security gateways act as the first line of defence.
These gateways filter out malicious emails, preventing them from ever reaching the user's inbox. Additionally, the platform supports user awareness and training initiatives, which help in reducing the likelihood of users falling victim to these deceptive tactics.
As the attack progresses to the Defence Evasion phase, where Medusa attempts to disable security tools and delete indicators of compromise, Crystal Eye's Endpoint Detection and Response (EDR) capabilities come into play.
EDR continuously monitors endpoints for any signs of tampering, such as attempts to disable or modify security tools. If such activities are detected, the system automatically triggers alerts and responses to stop the attack in its tracks.
Moreover, the platform's File Integrity Monitoring (FIM) can detect unauthorized changes or deletions of critical files, providing an early warning system against Medusa's efforts to cover its tracks.
In the Discovery phase, where Medusa scans the victim's system to identify valuable files for encryption or exfiltration, Crystal Eye’s Threat Hunting Dashboard provides unparalleled visibility.
This feature allows security teams to monitor unusual or unauthorized file and directory access in real time, enabling early detection of reconnaissance activities. Furthermore, Crystal Eye’s Automated Actionable Intelligence (AAI) flags and responds to such activities, identifying them as potential precursors to ransomware attacks and allowing for swift intervention.
Finally, during the Impact phase, where Medusa encrypts the identified files, Crystal Eye’s Advanced Passive Encryption Control becomes crucial. This technology recognizes unusual encryption activity and can automatically isolate affected systems, preventing the ransomware from spreading further across the network.
Additionally, the platform enforces network segmentation, limiting the ransomware's ability to move laterally and cause widespread damage. In cases where encryption is detected, the system can quickly isolate infected devices, minimizing the overall impact.
Crystal Eye's integrated Security Orchestration, Automation, and Response (SOAR) capabilities ensure that the platform is not only reactive but also proactive.
Automated incident response processes allow for rapid action as soon as any part of Medusa's kill chain is detected. This includes automated playbooks that can isolate affected systems, notify security teams, and roll back changes where possible.
Moreover, Crystal Eye's continuous monitoring and real-time threat intelligence feeds ensure that defences are always up-to-date, capable of detecting even the latest variants of Medusa.
Supported by Red Piranha’s 24/7 Managed Detection and Response (MDR) service, the platform offers ongoing monitoring and rapid response, providing a robust defence mechanism that not only prevents ransomware attacks but also minimizes their impact if they do occur.
Does detecting malicious activity pose a significant challenge for your organisation?
Crystal Eye, best-in-class Threat Detection, Investigation and Response (TDIR), allows you to catch what the other products in its class missed by detecting all known malware and C2 callouts.
Improve your organisation's security posture and minimise risk to your organisation with our Network Detection and Response program alongside our Endpoint Detection and Response.