Timely Action the Deciding Factor in Chaos and Medusa Ransomware Outcomes from Talos' IR Engagement

Cisco Talos has detailed two recent ransomware incident response engagements that emphasize the critical role of timely action in mitigating cyberattacks. Despite similarities in threat actor tooling, TTPs, and victim environments, the outcomes of the engagements diverged drastically—one victim experienced zero encryption while the other suffered near-total impact. Cisco Talos confirmed, “Talos IR assesses that victim response time was the dominant factor that caused the discrepancy in impact. All other factors were incredibly similar, such as the actor’s level of sophistication, the victims’ endpoint security and Talos IR’s response.” In both cases, adversaries abused remote monitoring and management (RMM) software and leveraged dual-use and native system binaries to progress through the kill chain. These engagements also revealed an overlooked yet impactful vulnerability in endpoint hygiene: both victims were operating with PowerShell version 1.0, which lacks critical modern logging and security features. This oversight allowed threat actors to operate with minimal detection, ultimately affecting response effectiveness and post-incident recovery.

In the first case, which occurred in April 2025, adversaries using Chaos ransomware initiated access through social engineering, convincing a user to install Microsoft Quick Assist. Once inside, the attackers began internal reconnaissance using commands such as "ipconfig /all," "nltest /dclist," and "quser.exe" to map the network and identify domain controllers and user sessions. Advanced IP Scanner was also used for host discovery. For lateral movement, the group used RDP and Impacket’s "atexec.py" to schedule remote command execution and tunneled data using OpenSSH to establish a reverse proxy. Several RMM tools—AnyDesk, OptiTune, and SplashTop—were deployed across different systems to maintain persistent access. The attackers also removed multi-factor authentication controls by uninstalling Duo and leveraged a renamed Rclone binary ("wininit.exe") to exfiltrate targeted files. Although attempts were made to launch a shell script on an ESXi host, early detection and response efforts neutralized these actions before any encryption could occur.

In contrast, the second engagement involving Medusa ransomware resulted in 100% encryption due to delayed action despite earlier alerts. Cisco Talos reported that “Talos IR was not provided network access for analysis for over a day, during which time the actors achieved nearly 100% host encryption.” Additional context added by Talos noted that network access was provided "over 30 hours after the engagement began, during which time the actors obtained widespread encryption. For context, according to Talos data, many ransomware variants can seize complete control of a network in just 24-48 hours after initial access." Initial access was obtained through exploitation of CVE-2024-57727 in SimpleHelp, a remote support application vulnerable to unauthenticated path traversal. Adversaries conducted remote desktop sessions from suspicious IPs and utilized Brute Ratel C4 for command-and-control communications. Process telemetry revealed use of Windows APIs such as "GetNativeSystemInfo," "telemetry:api_invoke," and "bcryptgeneratesymmetrickey," enabling system profiling and cryptographic operations. Data exfiltration and remote execution were facilitated through JWrapper, which was used to disable User Access Control and manipulate registry settings. Attackers also employed PsExec with atypical "msiexec.exe" behavior, as the process’s execution lacked a corresponding MSI file. This late-stage response hindered forensic reconstruction due to the deletion of logs and volume shadow copies.

Both incidents showcased similarities in adversary behaviors, including frequent use of LOLBins such as "wmic," "powershell," and "msiexec," and reliance on RMM and dual-use tools like Impacket. Attackers in both cases abused the ADMIN$ share to propagate and execute binaries across systems without deploying novel malware strains. While the tools used varied slightly, such as different IP scanners and RMM platforms, these differences had minimal impact on the outcome. The common use of PowerShell 1.0 across both environments was a key enabler, lacking modern controls like Constrained Language Mode, logging improvements, and script-blocking enforcement. This allowed threat actors to bypass policy enforcement and run scripts that facilitated discovery, lateral movement, and privilege escalation. These cases collectively reinforce the operational necessity of early alert triage and remediation actions when dealing with modern ransomware threats. Cisco Talos’ comparative analysis reveals that delayed containment efforts directly correlate with irreversible damage in enterprise environments.