What’s the Medusa ransomware?
Medusa is a ransomware-as-a-service (RaaS) platform that first got here to prominence in 2023. The ransomware impacts organisations working Home windows, predominantly exploiting susceptible and unpatched programs and hijacking accounts by preliminary entry brokers.
Preliminary entry brokers?
Preliminary entry brokers (IABs) specialize in gaining unauthorised entry to the networks of organisations, after which promote that entry to different cybercriminals – akin to ransomware gangs like Medusa.
So the ransomware attackers will not be those who initially hacked you?
Appropriate. IABs could also be expert at breaking right into a community, however not essentially be desirous about stealing your information and/or negotiating a ransom. IABs allow ransomware gangs to assault a number of targets concurrently, serving to them to cut back the general time it takes to deploy ransomware, enhance the possibilities of success, and maximise their earnings.
And the assaults aren’t noticed?
Like some other malicious hackers, the Medusa attackers do their finest to keep away from detection. Within the case of Medusa ransomware assaults, they seem to benefit from the “residing off the land” method, the place attackers use authentic instruments and sources already current on a sufferer’s community to hold out malicious actions. As a substitute of counting on exterior malware, this method mimics authentic exercise and helps the attackers to evade detection.
So Medusa supplies a platform for others to hold out ransomware assaults?
Sure, their associates use the Medusa platform to launch the assaults, and when a ransom is acquired, it’s shared between the completely different events.
And I suppose what the ransomware does is the usual fare?
Copies of delicate recordsdata are exfiltrated by the attackers, and the variations left on the sufferer’s programs are encrypted. The extension .MEDUSA is appended to the tip of the names of encrypted recordsdata.
The ransomware additionally makes efforts to make restoration harder after an assault, wiping a type of Microsoft Home windows information backups known as quantity shadow copies, and deleting recordsdata with backup applications akin to Home windows Backup.
As well as, digital disk onerous drives (VHDs) utilized by digital machines are deleted. A ransom notice is left, demanding fee for a decryption of the encrypted recordsdata – with the menace that the stolen recordsdata might be revealed if a ransom is just not paid by a deadline.
The place are the stolen recordsdata revealed?
Medusa, like many different ransomware gangs, operates a leak web site on the darkish net. The so-called “Medusa weblog” publicises a listing of hacked organisations, alongside a countdown informing the victims of their fee deadline.
Along with the darkish net leak web site, accessible through Tor, Medusa additionally publicises hacks and publishes stolen information on its public Telegram channel. Making it extra accessible than many different ransomware teams.
What kinds of organisation does Medusa goal?
Medusa targets all kinds of business sectors, however judging by these it has listed on its leak web site these sectors most affected embrace excessive tech, manufacturing, and training. The biggest proportion of Medusa’s targets look like positioned in the US, adopted by the UK, Canada, Australia, France, and Italy. It is noticeable that organisations primarily based in Belarus, Kazakhstan, Kyrgyzstan, Russia, and Tajikistan don’t seem within the record of victims.
Presumably the dearth of assaults on CIS nations is kind of intentional?
It is onerous to argue in any other case. That is small comfort, after all, for these organisations primarily based in nations that Medusa has no qualms about attacking.
What organisations have been hit by Medusa?
Previous victims have included Minneapolis Public Faculties (MPS) district, which did not pay a million-dollar ransom and noticed roughly 92 GB of its stolen information launched to the general public. It has additionally bragged about stealing the supply code of the Microsoft merchandise Bing Maps and Cortona prior to now. Different Medusa ransomware victims have included most cancers centres, and British excessive faculties.
And these ransomware victims have had their information leaked by Medusa?
Sure, and never simply on the group’s web site on the darkish net. Medusa has its personal “media staff” that publicises its leaks, posting on its public Telegram channel, and even going as far as to publish movies displaying proof of stolen information.
So how can my firm shield itself from Medusa?
The finest recommendation is to comply with the identical suggestions on the best way to shield your organisation from different ransomware. These embrace:
- making safe offsite backups.
- working up-to-date safety options and guaranteeing that your computer systems are protected with the most recent safety patches towards vulnerabilities.
- utilizing hard-to-crack distinctive passwords to guard delicate information and accounts, in addition to enabling multi-factor authentication.
- encrypting delicate information wherever attainable.
- lowering the assault floor by disabling performance that your organization doesn’t want.
- educating and informing workers in regards to the dangers and strategies utilized by cybercriminals to launch assaults and steal information.
Editor’s Observe: The opinions expressed on this and different visitor writer articles are solely these of the contributor and don’t essentially mirror these of Tripwire.
