Medusa Ransomware Group: Delivering Sophisticated Attacks

Medusa is a notorious ransomware group that emerged in 2023. Unlike most ransomware operators, Medusa has established is the visible  web, alongside their traditional Dark Web activities. It has been criminally exploiting a critical vulnerability in Fortinet’s FortiClient EMS software to launch sophisticated ransomware attacks.

Medusa, known for targeting a wide range of sectors, including healthcare, manufacturing, and education, has been quick to exploit the vulnerability.

By sending malicious web requests containing SQL statements, the group manipulates the FCTUID parameter in request headers, enabling them to execute arbitrary commands via the xp_cmdshell function in Microsoft SQL Server.  

Once initial access is gained, Medusa creates a webshell on the compromised server to facilitate data exfiltration and payload delivery.  

The group employs tools like bitsadmin to transfer malicious files and establish persistence on victim systems.
Medusa’s attack chain showcases the group’s advanced capabilities, particularly in the areas of execution and defense evasion. After gaining a foothold, Medusa leverages PowerShell scripts to run commands, exfiltrate data, and execute its ransomware payload. 

The group’s malware, known as gaze.exe, kills various services and loads files referencing Tor links for data exfiltration.

To evade detection, Medusa installs compromised versions of legitimate tools  like ConnectWise and AnyDesk. These tampered RMM tools often go unnoticed due to their trusted status within the victim’s environment.
Organisations can adopt a multi-layered approach to defend against Medusa’s ransomware attacks. Implementing robust patch management practices is crucial to promptly address vulnerabilities like the Fortinet flaw.

Network segmentation, regular backups, and employee security awareness training are all essential components of a comprehensive defence strategy. As ransomware becomes increasingly sophisticated, it remains vital that organisations remain an vigilant and have recovery plans in place. 

Bitedender   |     CyberCX   |     Cyberpress   |     Cybersecurity News   |    TTB Internet Security    |   SRM Inform 

Image: Unsplash

You Might Also Read: 

Threat Intelligence: Most Prevalent Malware Rankings:


If you like this website and use the comprehensive 6,500-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible


 

 

« Improving Threat Intelligence Sharing
Google’s EU Antitrust Case Dropped »

Infosecurity Europe
CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

Alvacomm

Alvacomm

Alvacomm offers holistic VIP cybersecurity services, providing comprehensive protection against cyber threats. Our solutions include risk assessment, threat detection, incident response.

Resecurity

Resecurity

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

Directory of Cyber Security Suppliers

Directory of Cyber Security Suppliers

Our Supplier Directory lists 7,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

TÜV SÜD Academy UK

TÜV SÜD Academy UK

TÜV SÜD offers expert-led cybersecurity training to help organisations safeguard their operations and data.

Securosis

Securosis

Securosis is an information security research and advisory firm dedicated to improving the practice of information security.

Cyren

Cyren

Cyren is a cloud-based, Internet security technology company providing threat detection and security analytics.

SharkGate

SharkGate

SharGate provide a cloud-based website security solution to protect websites from being hacked.

Threat Intelligence

Threat Intelligence

Threat Intelligence is a specialist security company providing penetration testing, threat intelligence, incident response and training services.

WizNucleus

WizNucleus

WizNucleus develops, markets and supports a software platform (Cyberwiz-Pro) that enables Critical Infrastructure enterprises to ensure the future state of their cybersecurity and remain compliant.

TCN

TCN

TCN is an advanced System Integrator and Infrastructure Company in Albania.

North European Cybersecurity Cluster (NECC)

North European Cybersecurity Cluster (NECC)

NECC promotes information security and cybersecurity-related cooperation and collaboration in the Northern European region in order to enhance integration into the European Digital Single Market.

National Accreditation Authority Hungary (NAH)

National Accreditation Authority Hungary (NAH)

NAH is the national accreditation body for Hungary. The directory of members provides details of organisations offering certification services for ISO 27001.

Accelerator Frankfurt

Accelerator Frankfurt

Accelerator Frankfurt is an independent go-to-market program focused on Fintech, Cybersecurity and Digital B2B startups.

eSec Forte Technologies

eSec Forte Technologies

eSec Forte Technologies is a CMMi Level 3 certified Global Consulting and IT Security Services company.

IDX

IDX

IDX is the leading consumer privacy platform built for agility in the digital age.

CRI Group

CRI Group

CRI Group excels at deterring, detecting and investigating crimes against businesses using a global network of professionals specially trained in Anti-Corruption, Risk Management and Compliance.

ACSG Corp

ACSG Corp

ACSG Corp is a Critical Infrastructure Protection Company with a multi-disciplinary focus on building analytics software for various industry sectors.

Seigur

Seigur

Seigur is an IT consultancy business providing flexible legal and cyber security services for IT and data privacy programmes.

CCX Technologies

CCX Technologies

CCX Technologies design and develop a wide range of cybersecurity and testing solutions for the aviation, and military and government markets.

Opkalla

Opkalla

We started Opkalla because we believe IT professionals deserve better. We help our clients navigate the confusion in the marketplace and choose the solution that is right for your business.