Medusa Ransomware Attacks Focus On Critical Infrastructure

Known for the sophistication of its operations, the ransomware gang Medusa has been responsible for known attacks on over 300 organisations in the critical infrastructure sectors, including medical, education, legal, insurance, manufacturing and technology operations.  

Once hit by a Medusa ransomware attack, victims are told that they must pay a ransom to decrypt their files to prevent them from being released onto the Internet. 

This is called as a double-extortion attack, and means that even if the victim organisation has backups and can recover the files that have been encrypted, they still face the threat of having their sensitive data leaked if they refuse to pay the ransom.

Now, a joint cyber security advisory has been published  published this attack recently which comes from the Cybersecurity and Infrastructure Security Agency (CISA), warning that Medusa has been operating since 2021. “Medusa originally operated as a closed ransomware variant, meaning all development and associated operations were controlled by the same group of cyber threat actors... “While Medusa has since progressed to using an affiliate model, important operations such as ransom negotiation are still centrally controlled by the developers,” the advisory says. 

“Both Medusa developers and affiliates, referred to as ‘Medusa actors’ in this advisory, employ a double extortion model, where they encrypt victim data and threaten to publicly release exfiltrated data if a ransom is not paid.”

According to the advisory, Medusa developers typically employ initial access brokers on cyber criminal forums to obtain entry into victims’ environments. During the attacks, Medusa actors use a wide range of legitimate software to move laterally, including remote access tools like AnyDesk, Atera, ConnectWise, eHorus, N-able, PDQ Deploy, PDQ Inventory, SimpleHelp and Splashtop. Additionally, the threat actors frequently use Advanced IP Scanner and SoftPerfect Network Scanner to gather information on targeted users, systems and networks.

According to CISA, Medusa conceals itself disguised as legitimate tools CISA typically using living-off-the-land (LotL) techniques to evade detection as well as several PowerShell techniques that feature “increasing complexity.” A key component of some attacks is using vulnerable drivers in what is known as “bring your own vulnerable driver” or BYOVD attacks. The advisory said Medusa actors use BYOVD to kill and even delete endpoint detection and response products.

Medusa activity has increased 42% year-over-year in 2024 and continued rising in January and February.

The researchers say the hackers have extensive use of both legitimate drivers as well as custom-developed malicious tools like AVKill and POORTRY to bypass or disable security software. “BYOVD is a technique that has been increasingly used in ransomware attack chains over the last two years,” the blog post said. “In almost all Medusa attacks, KillAV and associated vulnerable drivers are used in this part of the attack chain to download drivers and disable security software.”

In case a victim refuses to pay the demanded ransom their stolen data may be leaked on Medusa's Dark Web forum and sold to other cybercriminals, risking  reputational damage, legal consequences, penalties for non-compliance and consequent financial loss.

CISA  urges organisations to report Medusa ransomware incidents to law enforcement and refrain from paying ransoms, as doing so risks encouraging further attacks.

CISA   |     Security.com  |  Tripwire   |    Cybersecuriy Dive   |   Infosecurity Magazine   |    Security Week  

Image:

You Might Also Read: 

Britsh Healthcare Provider Investigating Ransom Claims:


If you like this website and use the comprehensive 7,000-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible


 


 

« Shadow IT In Remote Work
From Static Defenses To Dynamic Systems »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

Resecurity

Resecurity

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

ARC Advisory Group

ARC Advisory Group

ARC is a leading technology research and advisory firm with expertise in both information technologies (IT) and operational technologies (OT)

National Security Authority (NBU) - Slovakia

National Security Authority (NBU) - Slovakia

The National Security Authority (NBU) is the central government body in Slovakia for the Protection of Classified Information, Cryptographic Services, Trust Services and Cyber Security.

AKATI Sekurity

AKATI Sekurity

AKATI Sekurity is a security-focused consulting firm providing services specializing in Information Security and Information Forensics.

Dreamlab Technologies

Dreamlab Technologies

Over the last 20 years, Dreamlab Technologies has established itself as a source of constant innovation within the information security landscape.

Uppsala Security

Uppsala Security

Uppsala Security built the first crowdsourced Threat Intelligence platform known as the Sentinel Protocol, which is powered by blockchain technology.

NESECO

NESECO

NESECO is an IT security integration and consulting firm providing security products, solutions, support, consulting, and training services.

Sternum

Sternum

Sternum provides reliable and effective endpoint security for any IoT device, using robust technology and seamless integration.

Radically Open Security

Radically Open Security

Radically Open Security is the world's first not-for-profit computer security consultancy company.

Innovasec

Innovasec

Innovasec provide information security consulting and training services.

Quantinuum

Quantinuum

Quantinuum is the combination of Cambridge Quantum with Honeywell Quantum Solutions, structured to drive the future of quantum computing.

Riskaware

Riskaware

CyberAware, by Riskaware, provides business-critical cyber attack analysis and impact assessments using NIST standards aligned with NCSC guidance.

PagerDuty

PagerDuty

PagerDuty is the central nervous system for a company’s digital operations. We identify issues in real-time and bring together the right people to respond to problems faster.

Menaya

Menaya

Menaya provide Ethical Hackers for leading companies while also providing cyber security solutions to help major infrastructures protect against cyber crime.

Apexanalytix

Apexanalytix

Apexanalytix is a leading provider of supplier onboarding, risk management and recovery solutions.

CyTwist

CyTwist

CyTwist is an early warning attack detection platform that complement your existing security suite and provides your security teams with unique detection capabilities of stealth targeted attacks.

DataTrails

DataTrails

DataTrails enables organizations to prove and verify the provenance and authenticity of any data they use in their business operations.