In 2023, the Medusa ransomware campaign started gaining momentum, targeting worldwide businesses with million-dollar ransom demands. The Medusa operation began in June 2021, but there were not many victims or much activity. However, the ransomware gang ramped up its operations in 2023 and created a “Medusa Blog” to release data for victims who declined to pay a ransom.
This week, Medusa attracted public attention when they took credit for an attack on the Minneapolis Public Schools (MPS) system and posted a video of the data stolen. Numerous malware families follow the moniker “Medusa,” including the well-known MedusaLocker ransomware operation, an Android malware family, and a Mirai-based botnet with ransomware capabilities. Many people mistakenly believe that this ransomware family is the same as MedusaLocker because of the widely used term, leading to erroneous reporting about it. The Medusa and MedusaLocker ransomware attacks, however, are entirely distinct.
With several affiliates, a ransom message generally called How_to_back_files.html, and a wide range of file extensions for encrypted files, the MedusaLocker organization began operating as a ransomware-as-a-service in 2019. The MedusaLocker operation conducts negotiations over the Tor website at qd7pcafncosqfqu3ha6fcx4h6sr7tzwagzpcdcnytiw3b6varaeqv5yd.onion. However, the .MEDUSA file extension and !!!READ_ME_MEDUSA!!!.txt ransom letters were used by the Medusa ransomware operation from its launch in June 2021. For ransom discussions, the Medusa operation also uses a Tor website; however, theirs is accessible at medusacegu2ufmc3kx2kkqicrlcxdettsjcenhjena6uannk5f4ffuyd.onion.
It is unknown at this moment whether Medusa has a Linux version; the media has only been able to examine the Windows version. The threat actor can customize how files will be encrypted on the device using command-line arguments that the Windows encryptor will accept. For instance, the ransomware will display a terminal and status messages as it encrypts a device if the -v command line parameter is used. The Medusa ransomware terminates over 280 Windows services and processes for applications that may stop files from being encrypted regularly without command line parameters. Windows services for database servers, backup servers, and security applications are among them. Then, to impede file recovery, the ransomware will erase Windows Shadow Volume Copies.
deletes shadow volume copies
vssadmin Delete Shadows /all /quiet
vssadmin resize shadowstorage /for=%s /on=%s /maxsize=unbounded
Michael Gillespie, a ransomware specialist, also examined the encryptor and discovered that it encrypts files using AES-256 + RSA-2048 encryption with the BCrypt library. Gillespie said that MedusaLocker uses a different encryption technique than Medusa, which he further validated. The ransomware will add the .MEDUSA extension to encrypt file names while encrypting files. For instance, 1.doc would become 1.doc.MEDUSA after being encrypted.
The ransomware in each folder will create a ransom letter with the filename !!!READ_ME_MEDUSA!!!.txt that describes what happened to the victim’s data. A Telegram channel, a Tox ID, a Tor data leak site, a Tor negotiation site, and the email address firstname.lastname@example.org are all included in the ransom note’s additional contact details. http://medusacegu2ufmc3kx2kkqicrlcxdettsjcenhjena6uannk5f4ffuyd.onion is the negotiating site for Tor. The Medusa ransomware will perform the following command to remove locally stored data linked to backup applications like Windows Backup as an extra precaution against the restoration of files from backups. The virtual disk hard drives (VHD) that virtual machines employ will likewise be deleted by this operation.
del /s /f /q %s*.VHD %s*.bac %s*.bak %s*.wbcat %s*.bkf %sBackup*.* %sbackup*.* %s*.set %s*.win %s*.dsk
Each victim has a unique ID that may be used to contact the ransomware group on the “Secure Chat” Tor negotiating site. Like most ransomware operations that target businesses, Medusa features a website called “Medusa Blog” that leaks data. The usage of this website is a part of the gang’s double-extortion scheme, in which victims who decline to pay a ransom are given access to their data. A victim’s data is not instantly made public when they are joined to the data breach. Alternatively, the threat actors offer the victims payment choices to delay the data release, erase the data, or download the entire data set. The cost of each of these choices varies.
These three options put the victim under further stress and coerce them into paying a ransom. Unfortunately, victims cannot retrieve their files for free due to known flaws in the Medusa Ransomware encryption.