Medusa Ransomware Attacks Focus On Critical Infrastructure

Known for the sophistication of its operations, the ransomware gang Medusa has been responsible for known attacks on over 300 organisations in the critical infrastructure sectors, including medical, education, legal, insurance, manufacturing and technology operations.  

Once hit by a Medusa ransomware attack, victims are told that they must pay a ransom to decrypt their files to prevent them from being released onto the Internet. 

This is called as a double-extortion attack, and means that even if the victim organisation has backups and can recover the files that have been encrypted, they still face the threat of having their sensitive data leaked if they refuse to pay the ransom.

Now, a joint cyber security advisory has been published  published this attack recently which comes from the Cybersecurity and Infrastructure Security Agency (CISA), warning that Medusa has been operating since 2021. “Medusa originally operated as a closed ransomware variant, meaning all development and associated operations were controlled by the same group of cyber threat actors... “While Medusa has since progressed to using an affiliate model, important operations such as ransom negotiation are still centrally controlled by the developers,” the advisory says. 

“Both Medusa developers and affiliates, referred to as ‘Medusa actors’ in this advisory, employ a double extortion model, where they encrypt victim data and threaten to publicly release exfiltrated data if a ransom is not paid.”

According to the advisory, Medusa developers typically employ initial access brokers on cyber criminal forums to obtain entry into victims’ environments. During the attacks, Medusa actors use a wide range of legitimate software to move laterally, including remote access tools like AnyDesk, Atera, ConnectWise, eHorus, N-able, PDQ Deploy, PDQ Inventory, SimpleHelp and Splashtop. Additionally, the threat actors frequently use Advanced IP Scanner and SoftPerfect Network Scanner to gather information on targeted users, systems and networks.

According to CISA, Medusa conceals itself disguised as legitimate tools CISA typically using living-off-the-land (LotL) techniques to evade detection as well as several PowerShell techniques that feature “increasing complexity.” A key component of some attacks is using vulnerable drivers in what is known as “bring your own vulnerable driver” or BYOVD attacks. The advisory said Medusa actors use BYOVD to kill and even delete endpoint detection and response products.

Medusa activity has increased 42% year-over-year in 2024 and continued rising in January and February.

The researchers say the hackers have extensive use of both legitimate drivers as well as custom-developed malicious tools like AVKill and POORTRY to bypass or disable security software. “BYOVD is a technique that has been increasingly used in ransomware attack chains over the last two years,” the blog post said. “In almost all Medusa attacks, KillAV and associated vulnerable drivers are used in this part of the attack chain to download drivers and disable security software.”

In case a victim refuses to pay the demanded ransom their stolen data may be leaked on Medusa's Dark Web forum and sold to other cybercriminals, risking  reputational damage, legal consequences, penalties for non-compliance and consequent financial loss.

CISA  urges organisations to report Medusa ransomware incidents to law enforcement and refrain from paying ransoms, as doing so risks encouraging further attacks.

CISA   |     Security.com  |  Tripwire   |    Cybersecuriy Dive   |   Infosecurity Magazine   |    Security Week  

Image:

You Might Also Read: 

Britsh Healthcare Provider Investigating Ransom Claims:


If you like this website and use the comprehensive 7,000-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible


 


 

« Shadow IT In Remote Work
From Static Defenses To Dynamic Systems »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

ManagedMethods

ManagedMethods

ManageMethods Cloud Access Monitor is the only Cloud Access Security Broker (CASB) that can be deployed in minutes, with no special training, and with no impact on users or networks.

Kenna Security

Kenna Security

Kenna Security is a risk intelligence & vulnerability management platform that helps prioritize and remediate vulnerabilities.

Synectics Solutions

Synectics Solutions

Synectics deliver solutions for reducing risk, combating financial crime, and enabling organisations to meet their compliance and regulatory commitments.

CSIRT Italia

CSIRT Italia

CSIRT Italia is the national Computer Security Incident Response Team for Italy.

New Enterprise Associates (NEA)

New Enterprise Associates (NEA)

As one of the world’s largest and most active venture capital firms, NEA has developed deep domain expertise and insight into our industries of focus - technology and healthcare.

Kasada

Kasada

Kasada has developed a radical approach to defeating automated cyberthreats based on its unmatched understanding of the human minds behind them.

InsightCyber

InsightCyber

InsightCyber is on a mission to keep the world’s critical infrastructure, supply chains, and manufacturing operations cyber-safe, helping to prevent attacks that can have catastrophic impacts.

Greenberg Traurig (GT)

Greenberg Traurig (GT)

Greenberg Traurig, LLP (GT) is a global law firm with offices in 40 locations in the United States, Latin America, Europe, Asia, and the Middle East.

Cisco Networking Academy

Cisco Networking Academy

Cisco Networking Academy is the world's largest classroom, bringing technology education, 21st-century skills, and improved jobs prospects since 1997.

Perygee

Perygee

Perygee is a fully integrated platform for operational security. Companies depend on Perygee to identify and streamline the most important security practices for their operations.

Royal United Services Institute (RUSI)

Royal United Services Institute (RUSI)

The Royal United Services Institute is an independent think tank engaged in cutting edge defence and security research. Areas of research include cyber security and resilience.

Antivirus Tales

Antivirus Tales

Antivirus Tales offers a platform to resolve all types of antivirus-related issues. The platform also provide various blog articles and informative guides to fix antivirus software errors.

Security Discovery

Security Discovery

Stay ahead of cyber threats with Security Discovery. We offer expert consulting, comprehensive services, and a powerful vulnerability monitoring SaaS platform.

Defence Labs

Defence Labs

Defence Labs is a cybersecurity company specialising in cost effective penetration testing for small-to-medium sized enterprises.

C/side (cside)

C/side (cside)

At c/side, we're creating the ultimate delivery, performance and detection mechanism for browser-side fetched 3rd party Javascript.

LMNTRIX

LMNTRIX

LMNTRIX eliminates the complexity and burden of cyber security for organizations struggling to prepare for, prevent and respond to cyberattacks.