Medusa Ransomware Group Gains Momentum as it Attacks Worldwide Businesses

Medusa Ransomware Group Gains Momentum as it Attacks Worldwide Businesses

In 2023, the Medusa ransomware campaign started gaining momentum, targeting worldwide businesses with million-dollar ransom demands. The Medusa operation began in June 2021, but there were not many victims or much activity. However, the ransomware gang ramped up its operations in 2023 and created a “Medusa Blog” to release data for victims who declined to pay a ransom.

This week, Medusa attracted public attention when they took credit for an attack on the Minneapolis Public Schools (MPS) system and posted a video of the data stolen. Numerous malware families follow the moniker “Medusa,” including the well-known MedusaLocker ransomware operation, an Android malware family, and a Mirai-based botnet with ransomware capabilities. Many people mistakenly believe that this ransomware family is the same as MedusaLocker because of the widely used term, leading to erroneous reporting about it. The Medusa and MedusaLocker ransomware attacks, however, are entirely distinct.

With several affiliates, a ransom message generally called How_to_back_files.html, and a wide range of file extensions for encrypted files, the MedusaLocker organization began operating as a ransomware-as-a-service in 2019. The MedusaLocker operation conducts negotiations over the Tor website at qd7pcafncosqfqu3ha6fcx4h6sr7tzwagzpcdcnytiw3b6varaeqv5yd.onion. However, the .MEDUSA file extension and !!!READ_ME_MEDUSA!!!.txt ransom letters were used by the Medusa ransomware operation from its launch in June 2021. For ransom discussions, the Medusa operation also uses a Tor website; however, theirs is accessible at medusacegu2ufmc3kx2kkqicrlcxdettsjcenhjena6uannk5f4ffuyd.onion.

It is unknown at this moment whether Medusa has a Linux version; the media has only been able to examine the Windows version. The threat actor can customize how files will be encrypted on the device using command-line arguments that the Windows encryptor will accept. For instance, the ransomware will display a terminal and status messages as it encrypts a device if the -v command line parameter is used. The Medusa ransomware terminates over 280 Windows services and processes for applications that may stop files from being encrypted regularly without command line parameters. Windows services for database servers, backup servers, and security applications are among them. Then, to impede file recovery, the ransomware will erase Windows Shadow Volume Copies.

deletes shadow volume copies

vssadmin Delete Shadows /all /quiet

vssadmin resize shadowstorage /for=%s /on=%s /maxsize=unbounded

Michael Gillespie, a ransomware specialist, also examined the encryptor and discovered that it encrypts files using AES-256 + RSA-2048 encryption with the BCrypt library. Gillespie said that MedusaLocker uses a different encryption technique than Medusa, which he further validated. The ransomware will add the .MEDUSA extension to encrypt file names while encrypting files. For instance, 1.doc would become 1.doc.MEDUSA after being encrypted.

The ransomware in each folder will create a ransom letter with the filename !!!READ_ME_MEDUSA!!!.txt that describes what happened to the victim’s data. A Telegram channel, a Tox ID, a Tor data leak site, a Tor negotiation site, and the email address are all included in the ransom note’s additional contact details. http://medusacegu2ufmc3kx2kkqicrlcxdettsjcenhjena6uannk5f4ffuyd.onion is the negotiating site for Tor. The Medusa ransomware will perform the following command to remove locally stored data linked to backup applications like Windows Backup as an extra precaution against the restoration of files from backups. The virtual disk hard drives (VHD) that virtual machines employ will likewise be deleted by this operation.

del /s /f /q %s*.VHD %s*.bac %s*.bak %s*.wbcat %s*.bkf %sBackup*.* %sbackup*.* %s*.set %s*.win %s*.dsk

Each victim has a unique ID that may be used to contact the ransomware group on the “Secure Chat” Tor negotiating site. Like most ransomware operations that target businesses, Medusa features a website called “Medusa Blog” that leaks data. The usage of this website is a part of the gang’s double-extortion scheme, in which victims who decline to pay a ransom are given access to their data. A victim’s data is not instantly made public when they are joined to the data breach. Alternatively, the threat actors offer the victims payment choices to delay the data release, erase the data, or download the entire data set. The cost of each of these choices varies.

These three options put the victim under further stress and coerce them into paying a ransom. Unfortunately, victims cannot retrieve their files for free due to known flaws in the Medusa Ransomware encryption.

About the author

Yehudah Sunshine

Yehudah Sunshine

Bringing together his diverse professional cyber know-how, intellectual fascination with history and culture, and eclectic academic background focusing on diplomacy and the cultures of Central Asia, Yehudah Sunshine keenly blends his deep understanding of the global tech ecosystem with a nuanced worldview of the underlying socio-economic and political forces which drive policy and impact innovation in the cyber sectors. Yehudah's current work focuses on how to create and or opportunities enhance marketing strategies and elevate cyber driven thought leadership for cyfluencer (www.cyfluencer .com), the cybersecurity thought leadership platform. Sunshine has written and researched extensively within cybersecurity, the service sectors, international criminal accountability, Israel's economy, Israeli diplomatic inroads, Israeli innovation and technology, and Chinese economic policy.