Medusa Ransomware Attacks Focus On Critical Infrastructure

Known for the sophistication of its operations, the ransomware gang Medusa has been responsible for known attacks on over 300 organisations in the critical infrastructure sectors, including medical, education, legal, insurance, manufacturing and technology operations.  

Once hit by a Medusa ransomware attack, victims are told that they must pay a ransom to decrypt their files to prevent them from being released onto the Internet. 

This is called as a double-extortion attack, and means that even if the victim organisation has backups and can recover the files that have been encrypted, they still face the threat of having their sensitive data leaked if they refuse to pay the ransom.

Now, a joint cyber security advisory has been published  published this attack recently which comes from the Cybersecurity and Infrastructure Security Agency (CISA), warning that Medusa has been operating since 2021. “Medusa originally operated as a closed ransomware variant, meaning all development and associated operations were controlled by the same group of cyber threat actors... “While Medusa has since progressed to using an affiliate model, important operations such as ransom negotiation are still centrally controlled by the developers,” the advisory says. 

“Both Medusa developers and affiliates, referred to as ‘Medusa actors’ in this advisory, employ a double extortion model, where they encrypt victim data and threaten to publicly release exfiltrated data if a ransom is not paid.”

According to the advisory, Medusa developers typically employ initial access brokers on cyber criminal forums to obtain entry into victims’ environments. During the attacks, Medusa actors use a wide range of legitimate software to move laterally, including remote access tools like AnyDesk, Atera, ConnectWise, eHorus, N-able, PDQ Deploy, PDQ Inventory, SimpleHelp and Splashtop. Additionally, the threat actors frequently use Advanced IP Scanner and SoftPerfect Network Scanner to gather information on targeted users, systems and networks.

According to CISA, Medusa conceals itself disguised as legitimate tools CISA typically using living-off-the-land (LotL) techniques to evade detection as well as several PowerShell techniques that feature “increasing complexity.” A key component of some attacks is using vulnerable drivers in what is known as “bring your own vulnerable driver” or BYOVD attacks. The advisory said Medusa actors use BYOVD to kill and even delete endpoint detection and response products.

Medusa activity has increased 42% year-over-year in 2024 and continued rising in January and February.

The researchers say the hackers have extensive use of both legitimate drivers as well as custom-developed malicious tools like AVKill and POORTRY to bypass or disable security software. “BYOVD is a technique that has been increasingly used in ransomware attack chains over the last two years,” the blog post said. “In almost all Medusa attacks, KillAV and associated vulnerable drivers are used in this part of the attack chain to download drivers and disable security software.”

In case a victim refuses to pay the demanded ransom their stolen data may be leaked on Medusa's Dark Web forum and sold to other cybercriminals, risking  reputational damage, legal consequences, penalties for non-compliance and consequent financial loss.

CISA  urges organisations to report Medusa ransomware incidents to law enforcement and refrain from paying ransoms, as doing so risks encouraging further attacks.

CISA   |     Security.com  |  Tripwire   |    Cybersecuriy Dive   |   Infosecurity Magazine   |    Security Week  

Image:

You Might Also Read: 

Britsh Healthcare Provider Investigating Ransom Claims:


If you like this website and use the comprehensive 7,000-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible


 


 

« Shadow IT In Remote Work
From Static Defenses To Dynamic Systems »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

ZenGRC

ZenGRC

ZenGRC (formerly Reciprocity) is a leader in the GRC SaaS landscape, offering robust and intuitive products designed to make compliance straightforward and efficient.

BackupVault

BackupVault

BackupVault is a leading provider of automatic cloud backup and critical data protection against ransomware, insider attacks and hackers for businesses and organisations worldwide.

Resecurity

Resecurity

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

Voyager Networks

Voyager Networks

Voyager Networks is an IT solutions business with a focus on Enterprise Networks, Security and Collaborative Communications.

Security Current

Security Current

Security Current's proprietary content and events provide insight, actionable advice and analysis giving executives the latest information to make knowledgeable decisions.

KoolSpan

KoolSpan

KoolSpan’s security and privacy solutions address the growing threat of loss or theft of intellectual property, information, and proprietary assets.

Tukan IT

Tukan IT

Tukan IT provides a data classification and protection solution.

Xcina Consulting (XCL)

Xcina Consulting (XCL)

Xcina Consulting provides high quality business and technology risk assurance and advisory services.

Cyber Discovery

Cyber Discovery

Cyber Discovery, the UK Government's Cyber Schools Programme, is a learning programme designed to give young people the opportunity to learn the skills needed to enter the cyber security profession.

SEPPmail

SEPPmail

SEPPmail is a patented e-mail encryption solution to secure your electronic communication.

NextVision

NextVision

NextVision is a Cybersecurity and Technology company offering a range of solutions and services for Security, Compliance and IT Infrastructure Management.

SOC Experts

SOC Experts

SOC Experts is a pioneer (we started SOC training well before people realized how big the domain was going to be) and the only institution to provide end-to-end training on Security Operations Centers

M2MD Technologies

M2MD Technologies

M2MD Technologies offers solutions optimized for cellular IoT that provide stronger security, reduced costs, enhanced user experience, and ultimately generates higher returns for stakeholders.

CliftonLarsonAllen (CLA)

CliftonLarsonAllen (CLA)

CLA exists to create opportunities for our clients through industry-focused advisory, outsourcing, audit, tax, and consulting services.

Armo

Armo

Armo technology enhances any Kubernetes deployment with security, visibility, and control from the CI/CD pipeline through production.

Check Point Software Technologies

Check Point Software Technologies

Check Point Software Technologies is a leading provider of cyber security solutions to governments and corporate enterprises globally.

MadWolf Technologies

MadWolf Technologies

MadWolf’s mission is to deliver enterprise-quality managed services and focused applications to organizations operating in the non-profit, association and international development sectors.

runZero

runZero

runZero delivers the most complete security visibility possible, providing you the ultimate foundation for successfully managing exposures and compliance.

CyberMass

CyberMass

CyberMass provides Cyber Advisory/Consulting, Professional and Managed Services offering complete cybersecurity as a service protection to businesses.