Medusa Ransomware Attacks Focus On Critical Infrastructure

Known for the sophistication of its operations, the ransomware gang Medusa has been responsible for known attacks on over 300 organisations in the critical infrastructure sectors, including medical, education, legal, insurance, manufacturing and technology operations.  

Once hit by a Medusa ransomware attack, victims are told that they must pay a ransom to decrypt their files to prevent them from being released onto the Internet. 

This is called as a double-extortion attack, and means that even if the victim organisation has backups and can recover the files that have been encrypted, they still face the threat of having their sensitive data leaked if they refuse to pay the ransom.

Now, a joint cyber security advisory has been published  published this attack recently which comes from the Cybersecurity and Infrastructure Security Agency (CISA), warning that Medusa has been operating since 2021. “Medusa originally operated as a closed ransomware variant, meaning all development and associated operations were controlled by the same group of cyber threat actors... “While Medusa has since progressed to using an affiliate model, important operations such as ransom negotiation are still centrally controlled by the developers,” the advisory says. 

“Both Medusa developers and affiliates, referred to as ‘Medusa actors’ in this advisory, employ a double extortion model, where they encrypt victim data and threaten to publicly release exfiltrated data if a ransom is not paid.”

According to the advisory, Medusa developers typically employ initial access brokers on cyber criminal forums to obtain entry into victims’ environments. During the attacks, Medusa actors use a wide range of legitimate software to move laterally, including remote access tools like AnyDesk, Atera, ConnectWise, eHorus, N-able, PDQ Deploy, PDQ Inventory, SimpleHelp and Splashtop. Additionally, the threat actors frequently use Advanced IP Scanner and SoftPerfect Network Scanner to gather information on targeted users, systems and networks.

According to CISA, Medusa conceals itself disguised as legitimate tools CISA typically using living-off-the-land (LotL) techniques to evade detection as well as several PowerShell techniques that feature “increasing complexity.” A key component of some attacks is using vulnerable drivers in what is known as “bring your own vulnerable driver” or BYOVD attacks. The advisory said Medusa actors use BYOVD to kill and even delete endpoint detection and response products.

Medusa activity has increased 42% year-over-year in 2024 and continued rising in January and February.

The researchers say the hackers have extensive use of both legitimate drivers as well as custom-developed malicious tools like AVKill and POORTRY to bypass or disable security software. “BYOVD is a technique that has been increasingly used in ransomware attack chains over the last two years,” the blog post said. “In almost all Medusa attacks, KillAV and associated vulnerable drivers are used in this part of the attack chain to download drivers and disable security software.”

In case a victim refuses to pay the demanded ransom their stolen data may be leaked on Medusa's Dark Web forum and sold to other cybercriminals, risking  reputational damage, legal consequences, penalties for non-compliance and consequent financial loss.

CISA  urges organisations to report Medusa ransomware incidents to law enforcement and refrain from paying ransoms, as doing so risks encouraging further attacks.

CISA   |     Security.com  |  Tripwire   |    Cybersecuriy Dive   |   Infosecurity Magazine   |    Security Week  

Image:

You Might Also Read: 

Britsh Healthcare Provider Investigating Ransom Claims:


If you like this website and use the comprehensive 7,000-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible


 


 

« Shadow IT In Remote Work

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

Directory of Cyber Security Suppliers

Directory of Cyber Security Suppliers

Our Supplier Directory lists 7,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

Resecurity

Resecurity

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

Caldew Consulting

Caldew Consulting

Caldew specialise in providing information assurance and cyber security consultancy, covering the full spectrum of the security life cycle.

Checkmarx

Checkmarx

Checkmarx provides state-of-the-art application security solutions with static code analysis software.

Infosecurity Europe

Infosecurity Europe

Infosecurity Europe is Europe’s number one information security conference and exhibition.

QASymphony

QASymphony

QASymphony software testing and QA tools help companies create better software by improving speed, efficiency and collaboration during the testing lifecycle.

Ministry of Defence Georgia - Cyber Security Bureau

Ministry of Defence Georgia - Cyber Security Bureau

The aim of the Cyber Security Bureau is to establish and develop stable, effective and secure Information and Communication Technology systems for the Civil Office of MoD of Georgia.

Cyberint

Cyberint

Cyberint, the Impactful Intelligence company, fuses open-deep-and darkweb Threat Intelligence with Attack Surface Management to deliver maximum protection from external threats.

Redjack

Redjack

Redjack is a cutting-edge network analytics company focused on enterprise and ISP security and intelligence solutions.

Cybernetic Global Intelligence (CGI)

Cybernetic Global Intelligence (CGI)

CGI is a global IT Security firm that helps companies protect their data and minimize their vulnerability to cyber threats through a range of services such as Security Audits and Managed Services.

AppTec

AppTec

AppTec is a leading software vendor in the field of Unified Endpoint Management and Mobile Security.

Thridwayv

Thridwayv

Thirdwayv helps your enterprise realize the full potential of loT connectivity. All while neutralizing security threats that can run ruin the customer experience - and your reputation.

Passbase

Passbase

Passbase is building a full-stack identity verification engine backed by verified government documents.

Crypto International

Crypto International

Crypto International offers comprehensive services for the operation of our customers’ IT and communication infrastructure, with a focus on cybersecurity and encryption solutions.

Rootshell Security

Rootshell Security

Rootshell Security is transforming vulnerability management with its vendor-agnostic Prism Platform and industry-leading offensive security assessments.

Pointsharp

Pointsharp

Pointsharp delivers software and services that help organizations secure data, identities, and access in a user-friendly way.

Forthright Technology Partners

Forthright Technology Partners

Forthright Technology Partners (Forthright) is a next-generation cloud and managed IT services provider serving a global clientele.

JustunSecure

JustunSecure

JustunSecure is dedicated to promoting information technology and cybersecurity in Africa.