Rewterz Threat Alert – Medusa Ransomware Gang Attacked 74 Organizations After Extortion Model Switch – Active IOCs

Severity

High

Analysis Summary

The operators of Medusa ransomware have increased their activities since the launch of their own data leak website on the dark web back in February 2023 where they post sensitive data stolen from victims who do not agree to their demands and refuse to pay ransom. About 74 organizations are estimated to have been hit by this ransomware in 2023, mostly in the U.K., the U.S., Italy, France, India, and Spain.

Cybersecurity researchers said that this group has moved to rely on a multi-extortion strategy and will provide the victims with many options like time extension, data deletion, or downloading all data after the stolen information is posted on their leak website. All the options have a price tag that depends on the kind of organization impacted by the ransomware.

Medusa ransomware emerged in late 2022 before it ramped up its activities in 2023. It is infamous for its opportunistic targeting of a wide range of sectors including education, technology, manufacturing, retail, and healthcare. The attacks carried out by the group start with the exploitation of internet-facing applications or assets that are not patched for publicly known vulnerabilities and the hijacking of legitimate accounts. The gang often works with initial access brokers to gain a foothold on the targeted networks.

One notable aspect of ransomware infections is relying on living-of-the-land (LotL) techniques that help in blending with legitimate activity on the system. Another observation is the utilization of a pair of kernel drivers that terminate a hard-coded list of security products. After the initial access is achieved, the actors perform reconnaissance of the infected network and ultimately execute the ransomware to encrypt and enumerate files except the ones having .dll, .exe, .lnk, and .medusa extensions.

Medusa’s leak website shows information about the organizations, demanded ransom, the number of views on a bid, and the amount of time left before the stolen data is released to the public to put pressure on the victims. The operators of Medusa also offer different choices to the victim and all of them involve some form of extortion to delete or download the compromised data and offer a time extension.

Medusa not only has a media team for handling its branding and marketing efforts but also uses a public Telegram channel that was set up in July 2021 named “Information Support” on which the files of compromised victims are shared and accessed from the Clearnet. Ransomware continues to be a huge threat in the cyber landscape where it targets every type of organization and individual. The threat actors are rapidly evolving their tactics by publicly naming and shaming organizations and going as far as threatening physical violence.

Impact

• File Encryption
• Data Exfiltration
• Sensitive Information Theft
• Financial Loss

Indicators of Compromise

MD5

• 84b88ac81e4872ff3bf15c72f431d101
• 8cd11f34d817a99e4972641caf07951e
• e4b7fdabef67a0550877e6439beb093d
• a57f84e3848ab36fd59c94d32284a41e
• 47386ee20a6a94830ee4fa38b419a6f7

SHA-256

• 4d4df87cf8d8551d836f67fbde4337863bac3ff6b5cb324675054ea023b12ab6
• 657c0cce98d6e73e53b4001eeea51ed91fdcf3d47a18712b6ba9c66d59677980
• 7d68da8aa78929bb467682ddb080e750ed07cd21b1ee7a9f38cf2810eeb9cb95
• 9144a60ac86d4c91f7553768d9bef848acd3bd9fe3e599b7ea2024a8a3115669
• 736de79e0a2d08156bae608b2a3e63336829d59d38d61907642149a566ebd270

SHA-1

• 0823d067541de16325e5454a91b57262365a0705
• db5e29c0729486ba3833426093652451c5fca9b5
• 042ce9ab1afe035e0924753f076fcb20de0d1a1d
• 4d5992de4601c4306885c71b0ba197184bb69221
• ee4575cf9818636781677d63236d3dc65652deab

Remediation

• Block all threat indicators at your respective controls.
• Search for Indicators of compromise (IOCs) in your environment utilizing your respective security controls.
• Maintain cyber hygiene by updating your anti-virus software and implementing a patch management lifecycle.
• Along with network and system hardening, code hardening should be implemented within the organization so that their websites and software are secure. Use testing tools to detect any vulnerabilities in the deployed codes.
• Enable two-factor authentication.
• Implement network segmentation and keep offline backups of data to guarantee minimal downtime for the organization.
• Updates for operating systems, applications, and firmware should be installed as soon as possible.
• Check the active directories, servers, workstations, and domain controllers for new or unfamiliar accounts.
• To create safe distant connections, consider installing and utilizing a virtual private network (VPN).