Pen testing
C2
Medusa Ransomware is a human operated malware that first appeared in June 2021. It has been making headlines with a string of attacks on corporate targets including the Minneapolis Public School district. The ransomware appends .MEDUSA to encrypted files and uses double extortion: it encrypts data and exfiltrates it and threatens to publish the stolen data on their leak site, Medusa Blog, if the ransom is not paid.
Since Medusa first appeared, it has evolved its tactics to make its attacks more effective. In early 2023 the group launched the Medusa Blog, a dedicated leak site on the dark web where they post data from noncompliant victims. This adds pressure on organizations to pay the ransom to avoid public exposure of sensitive data.
Attack Vectors and Techniques
Medusa gains access to networks through unsecured Remote Desktop Protocol (RDP) connections and phishing campaigns. The ransomware exploits known vulnerabilities in public-facing assets and outdated software to get a foothold. Once inside it uses PowerShell scripts to execute commands, exfiltrate data, and deploy the ransomware payload. The malware terminates various services and processes to encrypt and evade detection.
Encryption and Ransom Demands
Medusa uses a combination of AES-256 and RSA-2048 to encrypt files so data is inaccessible without the decryption key. After encryption,n it drops a ransom note, usually called "!!!READ_ME_MEDUSA!!!.txt" in each affected directory with instructions to pay in cryptocurrency and a deadline to force compliance.
Medusa is similar to other ransomware families like MedusaLocker but is a separate entity with its own tactics and playbook. No sub variants of Medusa Ransomware have been documented.
Implement endpoint protection to detect and block ransomware.
Secure RDP by disabling unused ports, strong passwords, and MFA.
Train employees to recognize phishing and social engineering attacks.
Keep software up to date and patch vulnerabilities.
Medusa targets corporate, educational and public sector organisations. Its attacks focus on organisations that store sensitive data so the double extortion plays out.
The Medusa Ransomware operators are unknown but the structured operations and targeted campaigns suggest a professional group with resources and expertise. Their tactics are consistent with financially motivated cybercrime groups.
