#StopRansomware: Medusa Ransomware

This advisory details the tactics, techniques, and procedures (TTPs) associated with the Medusa ransomware variant. Medusa, operating as a ransomware-as-a-service (RaaS), has affected over 300 victims across various critical infrastructure sectors since its inception in June 2021. The advisory provides insights into initial access methods, lateral movement tactics, and a double extortion model employed by Medusa actors. Organizations are encouraged to implement recommended mitigations to bolster their security against such threats. Affected: medical, education, legal, insurance, technology, manufacturing sectors

Keypoints :

Medusa ransomware has affected over 300 victims since June 2021.
It operates under a ransomware-as-a-service model.
Medusa actors use initial access brokers for system infiltration.
The ransomware employs a double extortion approach.
FBI and CISA provide guidelines to mitigate risks associated with Medusa ransomware.
Focus on specific industries impacted by this ransomware variant.

MITRE Techniques :

Initial Access [TA0001]: Medusa actors recruit initial access brokers in cybercriminal forums.
Credential Access [TA0006]: Harvesting credentials using Mimikatz.
Lateral Movement [TA0008]: Utilizing remote access software and PsExec to move laterally.
Exfiltration [TA0010]: Using Rclone for data exfiltration to Medusa C2 servers.
Data Encrypted for Impact [T1486]: Encrypting data and preventing access to critical resources.

Indicator of Compromise :

[MD5] 44370f5c977e415981febf7dbb87a85c (openrdp.bat)
[MD5] 80d852cd199ac923205b61658a9ec5bc (pu.exe)
[Email] [email protected] (Ransom negotiation)
[Email] [email protected] (Ransom negotiation)
[Email] [email protected] (Ransom negotiation)

Full Story: https://www.cisa.gov/news-events/cybersecurity-advisories/aa25-071a

Tags: IMPACT, DNS, FINANCIAL, LATERAL MOVEMENT, BACKUP, DISCOVERY, EXFILTRATION, EXPLOIT