Medusa Ransomware Group: Delivering Sophisticated Attacks

Medusa is a notorious ransomware group that emerged in 2023. Unlike most ransomware operators, Medusa has established is the visible  web, alongside their traditional Dark Web activities. It has been criminally exploiting a critical vulnerability in Fortinet’s FortiClient EMS software to launch sophisticated ransomware attacks.

Medusa, known for targeting a wide range of sectors, including healthcare, manufacturing, and education, has been quick to exploit the vulnerability.

By sending malicious web requests containing SQL statements, the group manipulates the FCTUID parameter in request headers, enabling them to execute arbitrary commands via the xp_cmdshell function in Microsoft SQL Server.  

Once initial access is gained, Medusa creates a webshell on the compromised server to facilitate data exfiltration and payload delivery.  

The group employs tools like bitsadmin to transfer malicious files and establish persistence on victim systems.
Medusa’s attack chain showcases the group’s advanced capabilities, particularly in the areas of execution and defense evasion. After gaining a foothold, Medusa leverages PowerShell scripts to run commands, exfiltrate data, and execute its ransomware payload. 

The group’s malware, known as gaze.exe, kills various services and loads files referencing Tor links for data exfiltration.

To evade detection, Medusa installs compromised versions of legitimate tools  like ConnectWise and AnyDesk. These tampered RMM tools often go unnoticed due to their trusted status within the victim’s environment.
Organisations can adopt a multi-layered approach to defend against Medusa’s ransomware attacks. Implementing robust patch management practices is crucial to promptly address vulnerabilities like the Fortinet flaw.

Network segmentation, regular backups, and employee security awareness training are all essential components of a comprehensive defence strategy. As ransomware becomes increasingly sophisticated, it remains vital that organisations remain an vigilant and have recovery plans in place. 

Bitedender   |     CyberCX   |     Cyberpress   |     Cybersecurity News   |    TTB Internet Security    |   SRM Inform 

Image: Unsplash

You Might Also Read: 

Threat Intelligence: Most Prevalent Malware Rankings:


If you like this website and use the comprehensive 6,500-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible


 

 

« Improving Threat Intelligence Sharing
Google’s EU Antitrust Case Dropped »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

Computer Laboratory - University of Cambridge

Computer Laboratory - University of Cambridge

Computer security has been among the Laboratory’s research interests for many years, along with related topics such as cryptology

NXP Semiconductors

NXP Semiconductors

NXP is a world leader in secure connectivity solutions for embedded applications and the Internet of Things.

Securicon

Securicon

Securicon provides expert consulting for application, system and network security.

Total Cyber-Sec

Total Cyber-Sec

Total Cyber-Sec is a company specialized in providing Professional Information Security and Cybersecurity Services.

UNIDIR Cyber Policy Portal

UNIDIR Cyber Policy Portal

The UNIDIR Cyber Policy Portal is an online reference tool that maps the cybersecurity and cybersecurity-related policy landscape.

Ergo

Ergo

Ergo is a world-class IT Partner of choice, leveraging the latest technology available in cloud, mobility, big data, analytics, and social media.

drie

drie

drie is an end-to-end cloud services company based in Bahrain, Dubai and London. We enable businesses to adopt, scale on and build for cloud.

HARMAN International

HARMAN International

HARMAN designs and engineers connected products and solutions for automakers, consumers, and enterprises worldwide.

Financial Services Information Sharing and Analysis Center (FS-ISAC)

Financial Services Information Sharing and Analysis Center (FS-ISAC)

The Financial Services Information Sharing and Analysis Center is the only global cyber intelligence sharing community solely focused on financial services.

Nagios

Nagios

Nagios is a powerful tool that provides you with instant awareness of your organization’s mission-critical IT infrastructure.

NextGen Cyber Talent

NextGen Cyber Talent

NextGen Cyber Talent is a non-profit providing a platform to increase diversity and inclusion in the cybersecurity industry.

Intertec Systems

Intertec Systems

Intertec Systems is an award-winning, global IT solutions and services provider that specializes in digital transformation, cybersecurity, sustainability, and cloud services.

Kusari

Kusari

Securing your software supply chain starts with understanding. Kusari is on a mission to bring transparency to your software supply chain and power secure development.

Skillfield

Skillfield

Skillfield is a Melbourne based Cyber Security and Data Services consultancy and professional services company.

Clumio

Clumio

Clumio provides autonomous backup and recovery for critical cloud data.

RIIG Technology

RIIG Technology

Our mission is to empower organizations with high-quality, verifiable data and advanced intelligence solutions, ensuring robust security and effective risk management.