The menace actors related to the Medusa ransomware have ramped up their actions following the debut of a devoted information leak web site on the darkish net in February 2023 to publish delicate information of victims who’re unwilling to comply with their calls for.
“As a part of their multi-extortion technique, this group will present victims with a number of choices when their information is posted on their leak web site, akin to time extension, information deletion or obtain of all the info,” Palo Alto Networks Unit 42 researchers Anthony Galiette and Doel Santos stated in a report shared with The Hacker Information.
“All of those choices have a price ticket relying on the group impacted by this group.”
Medusa (to not be confused with Medusa Locker) refers to a ransomware household that appeared in late 2022 earlier than coming into prominence in 2023. It is identified for opportunistically concentrating on a variety of industries akin to excessive expertise, training, manufacturing, healthcare, and retail.
As many as 74 organizations, principally within the U.S., the U.Okay., France, Italy, Spain, and India, are estimated to have been impacted by the ransomware in 2023.
Ransomware assaults orchestrated by the group start with the exploitation of internet-facing belongings or functions with identified unpatched vulnerabilities and hijacking of reliable accounts, usually using preliminary entry brokers to acquire a foothold to focus on networks.
In a single occasion noticed by the cybersecurity agency, a Microsoft Change Server was exploited to add an internet shell, which was then used as a conduit to put in and execute the ConnectWise distant monitoring and administration (RMM) software program.
A notable side of the infections is the reliance on living-off-the-land (LotL) strategies to mix in with reliable exercise and sidestep detection. Additionally noticed is using a pair of kernel drivers to terminate a hard-coded record of safety merchandise.
The preliminary entry section is adopted by discovery and reconnaissance of the compromised community, with the actors in the end launching the ransomware to enumerate and encrypt all recordsdata save for these with the extensions .dll, .exe, .lnk, and .medusa (the extension given to the encrypted recordsdata).
For every compromised sufferer, Medusa’s leak web site shows details about the organizations, ransom demanded, the period of time left earlier than the stolen information is launched publicly, and the variety of views in a bid to exert stress on the corporate.
The actors additionally provide totally different decisions to the sufferer, all of which contain some type of extortion to delete or obtain the pilfered information and search a time extension to forestall the info from being launched.
As ransomware continues to be a rampant menace, concentrating on tech corporations, healthcare, crucial infrastructure, and the whole lot in between, the menace actors behind it are getting extra brazen with their ways, going past publicly naming and shaming organizations by resorting to threats of bodily violence and even devoted public relations channels.
“Ransomware has modified many sides of the menace panorama, however a key latest improvement is its rising commoditization and professionalization,” Sophos researchers stated final month, calling ransomware gangs “more and more media-savvy.”
Medusa, per Unit 42, not solely has a media crew to doubtless deal with their branding efforts, but in addition leverages a public Telegram channel named “data assist,” the place recordsdata of compromised organizations are shared and will be accessed over the clearnet. The channel was arrange in July 2021.
“The emergence of the Medusa ransomware in late 2022 and its notoriety in 2023 marks a big improvement within the ransomware panorama,” the researchers stated. “This operation showcases advanced propagation strategies, leveraging each system vulnerabilities and preliminary entry brokers, whereas adeptly avoiding detection by means of living-off-the-land strategies.”
The event comes as Arctic Wolf Labs publicized two circumstances wherein victims of Akira and Royal ransomware gangs had been focused by malicious third-parties posing as safety researchers for secondary extortion makes an attempt.
“Menace actors spun a story of making an attempt to assist sufferer organizations, providing to hack into the server infrastructure of the unique ransomware teams concerned to delete exfiltrated information,” safety researchers Stefan Hostetler and Steven Campbell stated, noting the menace actor sought about 5 bitcoin in trade for the service.
It additionally follows a new advisory from the Finnish Nationwide Cyber Safety Centre (NCSC-FI) a few spike in Akira ransomware incidents within the nation in the direction of the top of 2023 by exploiting a safety flaw in Cisco VPN home equipment (CVE-2023-20269, CVSS rating: 5.0) to breach home entities.
