The danger actors affiliated with the Medusa ransomware have ramped up their functions following the debut of a devoted facts leak web page on the dark web in February 2023 to publish delicate info of victims who are unwilling to agree to their calls for.
“As element of their multi-extortion strategy, this team will offer victims with a number of possibilities when their information is posted on their leak site, this sort of as time extension, facts deletion or obtain of all the information,” Palo Alto Networks Unit 42 scientists Anthony Galiette and Doel Santos stated in a report shared with The Hacker News.
“All of these possibilities have a price tag based on the group impacted by this team.”
Medusa (not to be perplexed with Medusa Locker) refers to a ransomware household that appeared in late 2022 right before coming into prominence in 2023. It can be known for opportunistically targeting a broad range of industries this kind of as high technology, instruction, production, healthcare, and retail.
As numerous as 74 businesses, primarily in the U.S., the U.K., France, Italy, Spain, and India, are approximated to have been impacted by the ransomware in 2023.
Ransomware attacks orchestrated by the team begin with the exploitation of internet-struggling with property or apps with recognized unpatched vulnerabilities and hijacking of respectable accounts, generally employing initial accessibility brokers to acquire a foothold to focus on networks.
In a person occasion observed by the cybersecurity firm, a Microsoft Exchange Server was exploited to upload a web shell, which was then used as a conduit to put in and execute the ConnectWise remote checking and administration (RMM) program.
A notable component of the bacterial infections is the reliance on residing-off-the-land (LotL) methods to mix in with legit action and sidestep detection. Also noticed is the use of a pair of kernel drivers to terminate a really hard-coded list of security products.
The initial accessibility period is followed by discovery and reconnaissance of the compromised network, with the actors in the end launching the ransomware to enumerate and encrypt all documents help you save for individuals with the extensions .dll, .exe, .lnk, and .medusa (the extension provided to the encrypted information).
For each individual compromised target, Medusa’s leak web-site displays information about the organizations, ransom demanded, the amount of money of time remaining just before the stolen facts is released publicly, and the selection of views in a bid to exert tension on the business.
The actors also supply distinct alternatives to the sufferer, all of which involve some variety of extortion to delete or down load the pilfered facts and search for a time extension to avoid the data from currently being launched.
As ransomware continues to be a rampant danger, focusing on tech businesses, healthcare, critical infrastructure, and almost everything in among, the risk actors behind it are receiving a lot more brazen with their practices, heading over and above publicly naming and shaming organizations by resorting to threats of actual physical violence and even focused general public relations channels.
“Ransomware has improved lots of facets of the threat landscape, but a crucial latest growth is its rising commoditization and professionalization,” Sophos researchers claimed very last month, contacting ransomware gangs “ever more media-savvy.”
Medusa, for each Device 42, not only has a media group to very likely manage their branding endeavours, but also leverages a community Telegram channel named “details aid,” the place documents of compromised organizations are shared and can be accessed more than the clearnet. The channel was established up in July 2021.
“The emergence of the Medusa ransomware in late 2022 and its notoriety in 2023 marks a major improvement in the ransomware landscape,” the scientists stated. “This operation showcases sophisticated propagation approaches, leveraging both system vulnerabilities and original obtain brokers, whilst adeptly preventing detection by means of residing-off-the-land techniques.”
The development will come as Arctic Wolf Labs publicized two circumstances in which victims of Akira and Royal ransomware gangs were being qualified by malicious third-parties posing as security scientists for secondary extortion tries.
“Risk actors spun a narrative of striving to enable victim organizations, presenting to hack into the server infrastructure of the unique ransomware teams associated to delete exfiltrated info,” security researchers Stefan Hostetler and Steven Campbell explained, noting the risk actor sought about 5 bitcoin in exchange for the service.
It also follows a new advisory from the Finnish Countrywide Cyber Security Centre (NCSC-FI) about a spike in Akira ransomware incidents in the country to the conclusion of 2023 by exploiting a security flaw in Cisco VPN appliances (CVE-2023-20269, CVSS score: 5.) to breach domestic entities.
Located this write-up intriguing? Adhere to us on Twitter and LinkedIn to study more distinctive written content we put up.
Some sections of this report are sourced from: