The Medusa ransomware is a highly sophisticated ransomware-as-a-service (RaaS) variant that first emerged in June 2021. It has since evolved into a major cyber threat, targeting critical infrastructure sectors worldwide. Operating under a double extortion model, Medusa actors not only encrypt victims’ data but also threaten to publicly release stolen information unless a ransom is paid.
The FBI, CISA, and MS-ISAC have identified Medusa as a significant cybersecurity threat, urging organizations to implement proactive defense measures
Severity Level: High
Threat Details
1. Initial Access:
- Phishing Attacks: Malicious emails trick users into downloading malware or providing credentials.
- Exploiting Vulnerabilities: Uses CVE-2024-1709 (ScreenConnect) and CVE-2023-48788 (Fortinet EMS SQL Injection) to gain entry.
2. Discovery & Reconnaissance:
- Uses Advanced IP Scanner and SoftPerfect Network Scanner to map internal systems.
- Identifies accessible shared drives and databases. Collects OS and system configurations.
3. Privilege Escalation & Lateral Movement:
- Uses Mimikatz to extract credentials from LSASS.
- Exploits weak RDP configurations to access internal systems.
- Executes PsExec to deploys ransomware payloads with SYSTEM-level privileges.
- Maintains persistence by adding hidden admin accounts.
4. Exfiltration & Data Theft:
- Uses Rclone to transfer data to attacker-controlled cloud storage.
- Uses encrypted HTTPS traffic to send data to Medusa-controlled servers.
5. Encryption & Ransom Note Deployment:
- Deploys gaze.exe Encryptor, uses AES-256 encryption and adds .medusa file extension.
- Drops Ransom Note (!!!READ_ME_MEDUSA!!!.txt) that instructs victims to pay via Tor-based chat or Tox messaging.
6. Extortion & Payment Negotiation:
- Victims are given 48 hours to respond to ransom demands.
- Failure to comply results in public data leaks on Medusa’s .onion leak site.
- A “triple extortion” scheme has been observed, where some victims were asked to pay twice due to fraudulent negotiations.
7. Cleanup:
- Deletes PowerShell history and event logs.
- Shuts down backup services to prevent recovery.
Recommendations
- Enforce phishing-resistant MFA for all remote access, email, VPN, and admin accounts.
- Patch known vulnerabilities, particularly CVE-2024-1709 (ScreenConnect) and CVE-2023-48788 (Fortinet EMS SQL Injection).
- Close RDP (3389), SMB (445), and Telnet (23) if not required.
- Restrict administrative interfaces to internal networks or VPN-only access.
- Implement a recovery plan to maintain and retain multiple copies of sensitive or proprietary data and servers in a physically separate, segmented, and secure location.
- Disable command-line and scripting activities and permissions.
- Use Windows AppLocker or EDR solutions to block unauthorized executables.
- Block the IOCs at their respective controls.
Source:
- https://www.virustotal.com/gui/collection/37aa67affb64194b2c8c3a69818ec0e9be87e2430ac5ddc36d7e25299c759d33/
- https://www.cisa.gov/news-events/cybersecurity-advisories/aa25-071a
Enjoyed reading this Threat Intelligence Advisory? Stay updated with our latest exclusive content by following us on Twitter and LinkedIn.
No related posts found.