What’s the Medusa ransomware?
Medusa is a ransomware-as-a-service (RaaS) platform that first got here to prominence in 2023. The ransomware impacts organisations operating Home windows, predominantly exploiting weak and unpatched techniques and hijacking accounts by preliminary entry brokers.
Preliminary entry brokers?
Preliminary entry brokers (IABs) specialize in gaining unauthorised entry to the networks of organisations, after which promote that entry to different cybercriminals – equivalent to ransomware gangs like Medusa.
So the ransomware attackers might not be those who initially hacked you?
Right. IABs could also be expert at breaking right into a community, however not essentially be desirous about stealing your knowledge and/or negotiating a ransom. IABs allow ransomware gangs to assault a number of targets concurrently, serving to them to scale back the general time it takes to deploy ransomware, improve the probabilities of success, and maximise their earnings.
And the assaults aren’t noticed?
Like another malicious hackers, the Medusa attackers do their greatest to keep away from detection. Within the case of Medusa ransomware assaults, they seem to make the most of the “residing off the land” method, the place attackers use official instruments and assets already current on a sufferer’s community to hold out malicious actions. As a substitute of counting on exterior malware, this system mimics official exercise and helps the attackers to evade detection.
So Medusa gives a platform for others to hold out ransomware assaults?
Sure, their associates use the Medusa platform to launch the assaults, and when a ransom is acquired, it’s shared between the totally different events.
And I assume what the ransomware does is the usual fare?
Copies of delicate recordsdata are exfiltrated by the attackers, and the variations left on the sufferer’s techniques are encrypted. The extension .MEDUSA is appended to the top of the names of encrypted recordsdata.Â
The ransomware additionally makes efforts to make restoration tougher after an assault, wiping a type of Microsoft Home windows knowledge backups known as quantity shadow copies, and deleting recordsdata with backup applications equivalent to Home windows Backup.Â
As well as, digital disk onerous drives (VHDs) utilized by digital machines are deleted. A ransom be aware is left, demanding cost for a decryption of the encrypted recordsdata – with the risk that the stolen recordsdata will likely be printed if a ransom isn’t paid by a deadline.
The place are the stolen recordsdata printed?
Medusa, like many different ransomware gangs, operates a leak web site on the darkish internet. The so-called “Medusa weblog” publicises an inventory of hacked organisations, alongside a countdown informing the victims of their cost deadline.Â
Along with the darkish internet leak web site, accessible through Tor, Medusa additionally publicises hacks and publishes stolen knowledge on its public Telegram channel. Making it extra accessible than many different ransomware teams.
What sorts of organisation does Medusa goal?
Medusa targets all kinds of trade sectors, however judging by these it has listed on its leak web site these sectors most affected embody excessive tech, manufacturing, and schooling. The most important proportion of Medusa’s targets seem like situated in america, adopted by the UK, Canada, Australia, France, and Italy. It is noticeable that organisations based mostly in Belarus, Kazakhstan, Kyrgyzstan, Russia, and Tajikistan don’t seem within the record of victims.
Presumably the dearth of assaults on CIS international locations is sort of intentional?
It is onerous to argue in any other case. That is small comfort, in fact, for these organisations based mostly in international locations that Medusa has no qualms about attacking.
What organisations have been hit by Medusa?
Previous victims have included Minneapolis Public Faculties (MPS) district, which didn’t pay a million-dollar ransom and noticed roughly 92 GB of its stolen knowledge launched to the general public. It has additionally bragged about stealing the supply code of the Microsoft merchandise Bing Maps and Cortona up to now. Different Medusa ransomware victims have included most cancers centres, and British excessive colleges.
And these ransomware victims have had their knowledge leaked by Medusa?
Sure, and never simply on the group’s web site on the darkish internet. Medusa has its personal “media group” that publicises its leaks, posting on its public Telegram channel, and even going as far as to publish movies exhibiting proof of stolen knowledge.
So how can my firm shield itself from Medusa?
The greatest recommendation is to observe the identical suggestions on methods to shield your organisation from different ransomware. These embody:
- making safe offsite backups.
- operating up-to-date safety options and making certain that your computer systems are protected with the most recent safety patches towards vulnerabilities.
- utilizing hard-to-crack distinctive passwords to guard delicate knowledge and accounts, in addition to enabling multi-factor authentication.
- encrypting delicate knowledge wherever doable.
- decreasing the assault floor by disabling performance that your organization doesn’t want.
- educating and informing employees in regards to the dangers and strategies utilized by cybercriminals to launch assaults and steal knowledge.
Editor’s Observe: The opinions expressed on this and different visitor creator articles are solely these of the contributor and don’t essentially replicate these of Tripwire.
