Medusa Ransomware Group: Delivering Sophisticated Attacks

Medusa is a notorious ransomware group that emerged in 2023. Unlike most ransomware operators, Medusa has established is the visible  web, alongside their traditional Dark Web activities. It has been criminally exploiting a critical vulnerability in Fortinet’s FortiClient EMS software to launch sophisticated ransomware attacks.

Medusa, known for targeting a wide range of sectors, including healthcare, manufacturing, and education, has been quick to exploit the vulnerability.

By sending malicious web requests containing SQL statements, the group manipulates the FCTUID parameter in request headers, enabling them to execute arbitrary commands via the xp_cmdshell function in Microsoft SQL Server.  

Once initial access is gained, Medusa creates a webshell on the compromised server to facilitate data exfiltration and payload delivery.  

The group employs tools like bitsadmin to transfer malicious files and establish persistence on victim systems.
Medusa’s attack chain showcases the group’s advanced capabilities, particularly in the areas of execution and defense evasion. After gaining a foothold, Medusa leverages PowerShell scripts to run commands, exfiltrate data, and execute its ransomware payload. 

The group’s malware, known as gaze.exe, kills various services and loads files referencing Tor links for data exfiltration.

To evade detection, Medusa installs compromised versions of legitimate tools  like ConnectWise and AnyDesk. These tampered RMM tools often go unnoticed due to their trusted status within the victim’s environment.
Organisations can adopt a multi-layered approach to defend against Medusa’s ransomware attacks. Implementing robust patch management practices is crucial to promptly address vulnerabilities like the Fortinet flaw.

Network segmentation, regular backups, and employee security awareness training are all essential components of a comprehensive defence strategy. As ransomware becomes increasingly sophisticated, it remains vital that organisations remain an vigilant and have recovery plans in place. 

Bitedender   |     CyberCX   |     Cyberpress   |     Cybersecurity News   |    TTB Internet Security    |   SRM Inform 

Image: Unsplash

You Might Also Read: 

Threat Intelligence: Most Prevalent Malware Rankings:


If you like this website and use the comprehensive 6,500-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible


 

 

« Improving Threat Intelligence Sharing
Google’s EU Antitrust Case Dropped »

Infosecurity Europe
CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

ZenGRC

ZenGRC

ZenGRC (formerly Reciprocity) is a leader in the GRC SaaS landscape, offering robust and intuitive products designed to make compliance straightforward and efficient.

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

The PC Support Group

The PC Support Group

A partnership with The PC Support Group delivers improved productivity, reduced costs and protects your business through exceptional IT, telecoms and cybersecurity services.

MKD-CIRT

MKD-CIRT

MKD-CIRT is the national Computer Incident Response Team for Macedonia.

Atempo

Atempo

Atempo is a leading independent European-based software vendor with a global presence. We provide solutions to protect, store, move and recover all your data.

Vuntie

Vuntie

Vuntie blend European craftsmanship, performance and open-source technology to deliver cybersecurity services including penetration testing, incident response, training and consultancy.

National Cyber Security Center (NCSC) - Hungary

National Cyber Security Center (NCSC) - Hungary

The National Cyber Security Center was established in 2015 by uniting the GovCERT-Hungary, National Electronic Information Security Authority (NEISA) and the Cyber Defence Management Authority (CDMA).

GMV

GMV

GMV is a technological business group offering solutions, services and products in diverse sectors including Intelligent Transportation Systems, Cybersecurity, Telecoms and IT.

White & Black

White & Black

White & Black are specialist corporate & technology lawyers based in London & Oxford.

Security Innovation Network (SINET)

Security Innovation Network (SINET)

SINET is dedicated to building a cohesive, worldwide Cybersecurity community with the goal of accelerating innovation through collaboration.

Injazat

Injazat

Injazat Data Systems is an industry recognized market leader in the Gulf region for Information Technology, Data Center and Managed Services.

Satori Cyber

Satori Cyber

The Satori Cyber Secure Data Access Cloud is the first solution on the market to offer continuous visibility and granular control for data flows across all cloud and hybrid data stores.

IP2Location

IP2Location

IP2Location provide services to identify geolocation by IP address, and to detect IP addresses associated with anonymous proxy servers, which are often used for fraud and spamming purposes.

Police CyberAlarm

Police CyberAlarm

Police CyberAlarm is a free tool to help members understand and monitor malicious cyber activity. This service is made up of two parts; monitoring and vulnerability scanning.

Real Protect

Real Protect

Real Protect is a Brazilian provider of managed security (MSS) and cyber defense services.

Innefu Labs

Innefu Labs

Innefu is an Information Security R&D startup, providing cutting edge Information Security & Data Analytics solutions.

Identity Digital

Identity Digital

Identity Digital simplifies and connects a fragmented online world with domain names and related technologies that allow people and businesses to build, market and own their digital identities.

Yondu

Yondu

Yondu empowers businesses across various industries through a wide array of innovative technology solutions to help them scale in the new digital economy.

Zynap

Zynap

Zynap is an Advanced AI-powered SaaS platform replicating cybercriminal tactics to predict, detect, and neutralize threats before they strike.