Medusa Ransomware Strikes Big: Over 400 Critical Infrastructure Orgs Hit

Published Date: March 17, 2025
Category: ShadowOpsIntel
Share:

The Medusa ransomware is a highly sophisticated ransomware-as-a-service (RaaS) variant that first emerged in June 2021. It has since evolved into a major cyber threat, targeting critical infrastructure sectors worldwide. Operating under a double extortion model, Medusa actors not only encrypt victims’ data but also threaten to publicly release stolen information unless a ransom is paid.

The FBI, CISA, and MS-ISAC have identified Medusa as a significant cybersecurity threat, urging organizations to implement proactive defense measures

Severity Level: High

Threat Details

1. Initial Access:

  • Phishing Attacks: Malicious emails trick users into downloading malware or providing credentials.
  • Exploiting Vulnerabilities: Uses CVE-2024-1709 (ScreenConnect) and CVE-2023-48788 (Fortinet EMS SQL Injection) to gain entry.

2. Discovery & Reconnaissance:

  • Uses Advanced IP Scanner and SoftPerfect Network Scanner to map internal systems.
  • Identifies accessible shared drives and databases. Collects OS and system configurations.

3. Privilege Escalation & Lateral Movement:

  • Uses Mimikatz to extract credentials from LSASS.
  • Exploits weak RDP configurations to access internal systems.
  • Executes PsExec to deploys ransomware payloads with SYSTEM-level privileges.
  • Maintains persistence by adding hidden admin accounts.

4. Exfiltration & Data Theft:

  • Uses Rclone to transfer data to attacker-controlled cloud storage.
  • Uses encrypted HTTPS traffic to send data to Medusa-controlled servers.

5. Encryption & Ransom Note Deployment:

  • Deploys gaze.exe Encryptor, uses AES-256 encryption and adds .medusa file extension.
  • Drops Ransom Note (!!!READ_ME_MEDUSA!!!.txt) that instructs victims to pay via Tor-based chat or Tox messaging.

6. Extortion & Payment Negotiation:

  • Victims are given 48 hours to respond to ransom demands.
  • Failure to comply results in public data leaks on Medusa’s .onion leak site.
  • A “triple extortion” scheme has been observed, where some victims were asked to pay twice due to fraudulent negotiations.

7. Cleanup:

  • Deletes PowerShell history and event logs.
  • Shuts down backup services to prevent recovery.

Recommendations

  1. Enforce phishing-resistant MFA for all remote access, email, VPN, and admin accounts.
  2. Patch known vulnerabilities, particularly CVE-2024-1709 (ScreenConnect) and CVE-2023-48788 (Fortinet EMS SQL Injection).
  3. Close RDP (3389), SMB (445), and Telnet (23) if not required.
  4. Restrict administrative interfaces to internal networks or VPN-only access.
  5. Implement a recovery plan to maintain and retain multiple copies of sensitive or proprietary data and servers in a physically separate, segmented, and secure location.
  6. Disable command-line and scripting activities and permissions.
  7. Use Windows AppLocker or EDR solutions to block unauthorized executables.
  8. Block the IOCs at their respective controls.

Source:

  • https://www.virustotal.com/gui/collection/37aa67affb64194b2c8c3a69818ec0e9be87e2430ac5ddc36d7e25299c759d33/
  • https://www.cisa.gov/news-events/cybersecurity-advisories/aa25-071a

Enjoyed reading this Threat Intelligence Advisory? Stay updated with our latest exclusive content by following us on Twitter and LinkedIn.

No related posts found.

Ampcus Cyber
Privacy Overview

This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.