Medusa Ransomware: Confronting Cyber Threats with Darktrace

Medusa ransomware operates as a ransomware-as-a-service (RaaS) variant that uses living off the land techniques to infiltrate networks, encrypt data, and exfiltrate information. The article highlights Darktrace’s observations of Medusa campaigns, including abuse of legitimate tools like ConnectWise and PDQ Deploy, extensive internal reconnaissance, lateral movement, and extortion via a Telegram channel. #MedusaRansomware #PDQDeploy

Keypoints

Medusa is a RaaS platform used by affiliates to conduct ransomware campaigns across industries, with a focus on the US.
Initial access is gained through phishing/spear phishing attachments and, at times, initial access brokers and valid local/domain accounts.
Affiliates frequently leverage living off the land (LotL) techniques, including legitimate services like ConnectWise and PDQ Deploy, to evade detection.
Medusa maintains a public Telegram channel used to post stolen data for extortion purposes.
Darktrace observed a March 2024 campaign involving ~80 devices making HTTP connections to unusual endpoints (wizarr.manate[.]ch, go-sw6-02.adventos[.]de) with PowerShell/JWrapperDownloader user agents.
Internal reconnaissance and lateral movement included internal device connections, Nmap usage (Trinity.txt.bak), WMI queries (ExecQuery/ExecMethod), SMB lateral movement, and encryption with .s3db/.MEDUSA extensions, followed by a ransom note.
Exfiltration likely leveraged SSL to services like pdq.tools, TeamViewer, and AnyDesk; autonomous response could have blocked behavior, but was not enabled.

MITRE Techniques

[T1566.001] Phishing – Spearphish Attachments – The ransomware is typically delivered via phishing and spear phishing campaigns containing malicious attachments. ‘The ransomware is typically delivered via phishing and spear phishing campaigns containing malicious attachments’
[T1078] Valid Accounts – Attackers target valid local and domain accounts that are used for system administration. ‘targeting valid local and domain accounts that are used for system administration’
[T1210] Exploitation of Remote Services – Lateral Movement leveraging remote services and trusted tools (e.g., PDQ Deploy/ConnectWise) to move through the network. ‘Lateral Movement – Exploitation of Remote Service – T1210’
[T1021.002] SMB/Windows Admin Shares – Lateral movement via SMB with ADMIN$ and IPC$ shares. ‘targeting the ADMIN$ and IPC$ shares’
[T1080] Taint Shared Content – Lateral movement via sharing and manipulation of content as part of propagation. ‘Lateral Movement – Ta in Shared Content – T1080’
[T1059.001] PowerShell – Execution through PowerShell, observed during activity. ‘PowerShell and JWrapperDownloader user agents’
[T1059.002] Service Execution – Execution of services during the attack chain. ‘Service Execution’
[T1059.005] Windows Management Instrumentation – WMI queries/execution used to gather system information (ExecQuery/ExecMethod for IWbemServices). ‘ExecQuery and ExecMethod requests for IWbemServices’
[T1486] Data Encrypted for Impact – Data encryption as the attack culminates. ‘encrypt files with the extension “.s3db”’ and later ‘extension “.MEDUSA”’
[T1083] File and Directory Discovery – Discovery activity used to locate data and hosts. ‘Discovery – File and Directory Discovery’
[T1595.001] Reconnaissance – Scanning IP – Network scan activity detected during internal reconnaissance. ‘Reconnaissance – Scanning IP’
[T1595.002] Reconnaissance – Vulnerability Scanning – Discovery of vulnerabilities via scanning tools. ‘Vulnerability Scanning’

Indicators of Compromise

[IP Address] 207.188.6[.]17 – C2 Endpoint
[IP Address] 172.64.154[.]227 – C2 Endpoint
[Hostname] wizarr.manate[.]ch – C2 Endpoint
[Hostname] go-sw6-02.adventos[.]de – C2 Endpoint
[File Extension] .MEDUSA – Extension to encrypted files
[File Extension] .s3db – Created file extension
[File] SQLite3-64.dll – Used tool
[File] !!!Read_me_Medusa!!!.txt – Ransom note
[Credential] svc-ndscans – Possible compromised credential
[Credential] Svc-NinjaRMM – Possible compromised credential