Keypoints
- Medusa operates as a Ransomware-as-a-Service (RaaS) that emerged in late 2022 and spreads primarily via unpatched vulnerabilities.
- Recent targets include U.S. school districts (Glendale Unified, Hinsdale, Campbell County) and other sectors such as technology, healthcare, and retail.
- The sample encrypts files at runtime, appending a .MEDUSA extension and dropping a READ_ME_MEDUSA!!!.txt ransom note.
- Analysis revealed an embedded PowerShell script executing malicious operations in real time.
- The malware attempts to kill 44 applications and stop 184 services, including antivirus, database, backup, and email services.
- Medusa disables system recovery by deleting shadow copies (via vssadmin) and advertises Tor/protonmail-based contact/leak infrastructure.
- SonicWall detects the threat (GAV: Medusa.RSM_4) and protects via Capture ATP w/RTDMI and Capture Client endpoint solutions.
MITRE Techniques
- [T1190] Exploit Public-Facing Application – Medusa spreads through unpatched vulnerabilities to gain access. (‘predominantly propagates this malware through unpatched vulnerabilities’)
- [T1059.001] PowerShell – The sample executes an internal PowerShell script to perform its malicious actions. (‘view its internal PowerShell script running in real-time as it performed various malicious operations’)
- [T1486] Data Encrypted for Impact – The malware encrypts host files and appends a .MEDUSA extension to encrypted files. (‘files are immediately encrypted at runtime. They are marked with a .MEDUSA file extension’)
- [T1490] Inhibit System Recovery – The ransomware deletes shadow copies using vssadmin to prevent recovery. (‘It also stops shadow copies, using the vssadmin application:’)
- [T1562.001] Disable or Modify Tools (Impair Defenses) – It attempts to stop numerous services and kill applications, including security and backup services. (‘There are 184 services that it tries to stop. These include various antivirus services, databases, backup services, email servers etc.’)
- [T1041] Exfiltration Over C2 (Data Exfiltration) – The actors reportedly exfiltrated data and demanded deletion as part of the ransom demand. (‘demanded $1M in Bitcoin for file retrieval and deletion of exfiltrated student data.’)
Indicators of Compromise
- [File extension] Encrypted file marker – .MEDUSA
- [Filename] Ransom note dropped in directories – READ_ME_MEDUSA!!!.txt
- [Email/contact] Negotiation/contact channel shown in note – Proton Mail contact (reported inactive)
- [Network/hosting] Dark web leak site – Tor link referenced for leaked data / negotiation
- [Detection signature] AV/IPS signature – GAV: Medusa.RSM_4(Trojan)
The Medusa sample analyzed shows an intrusion-to-impact flow: initial access commonly via exploitation of unpatched public-facing applications, followed by execution of an embedded PowerShell payload that orchestrates the attack. At execution the malware scans and forcibly terminates numerous user applications (44 identified) and stops many system services (184 identified), prioritizing the shutdown of security, database, backup, and email services to remove protection and lock out recovery workflows.
During the impact phase the ransomware immediately encrypts files and appends a .MEDUSA extension while dropping a README-style ransom note (READ_ME_MEDUSA!!!.txt) in affected directories. It runs vssadmin commands to delete shadow copies, preventing local rollback, and the actors publicize exfiltrated data on a Tor-hosted site while offering negotiation via an included ProtonMail contact (which was later observed inactive). Analysts observed the PowerShell operations in real time within a reverse-engineering environment, allowing enumeration of the process/service termination and recovery-inhibition steps.
SonicWall protections identify this family as GAV: Medusa.RSM_4 and block it via Capture ATP w/RTDMI and Capture Client endpoint defenses; defenders should prioritize patching public-facing systems, monitor for the .MEDUSA extension and READ_ME_MEDUSA!!!.txt artifacts, watch for unusual vssadmin activity, and detect PowerShell executions that spawn mass process/service termination sequences.
Read more: https://blog.sonicwall.com/en-us/2024/03/medusa-ransomware-continues-attacks-on-us-school-districts/