Medusa Ransomware Strikes Big: Over 400 Critical Infrastructure Orgs Hit

The Medusa ransomware is a highly sophisticated ransomware-as-a-service (RaaS) variant that first emerged in June 2021. It has since evolved into a major cyber threat, targeting critical infrastructure sectors worldwide. Operating under a double extortion model, Medusa actors not only encrypt victims’ data but also threaten to publicly release stolen information unless a ransom is paid.

The FBI, CISA, and MS-ISAC have identified Medusa as a significant cybersecurity threat, urging organizations to implement proactive defense measures

Severity Level: High

Threat Details

1. Initial Access:

• Phishing Attacks: Malicious emails trick users into downloading malware or providing credentials.
• Exploiting Vulnerabilities: Uses CVE-2024-1709 (ScreenConnect) and CVE-2023-48788 (Fortinet EMS SQL Injection) to gain entry.

2. Discovery & Reconnaissance:

• Uses Advanced IP Scanner and SoftPerfect Network Scanner to map internal systems.
• Identifies accessible shared drives and databases. Collects OS and system configurations.

3. Privilege Escalation & Lateral Movement:

• Uses Mimikatz to extract credentials from LSASS.
• Exploits weak RDP configurations to access internal systems.
• Executes PsExec to deploys ransomware payloads with SYSTEM-level privileges.
• Maintains persistence by adding hidden admin accounts.

4. Exfiltration & Data Theft:

• Uses Rclone to transfer data to attacker-controlled cloud storage.
• Uses encrypted HTTPS traffic to send data to Medusa-controlled servers.

5. Encryption & Ransom Note Deployment:

• Deploys gaze.exe Encryptor, uses AES-256 encryption and adds .medusa file extension.
• Drops Ransom Note (!!!READ_ME_MEDUSA!!!.txt) that instructs victims to pay via Tor-based chat or Tox messaging.

6. Extortion & Payment Negotiation:

• Victims are given 48 hours to respond to ransom demands.
• Failure to comply results in public data leaks on Medusa’s .onion leak site.
• A “triple extortion” scheme has been observed, where some victims were asked to pay twice due to fraudulent negotiations.

7. Cleanup:

• Deletes PowerShell history and event logs.
• Shuts down backup services to prevent recovery.

Recommendations

1. Enforce phishing-resistant MFA for all remote access, email, VPN, and admin accounts.
2. Patch known vulnerabilities, particularly CVE-2024-1709 (ScreenConnect) and CVE-2023-48788 (Fortinet EMS SQL Injection).
3. Close RDP (3389), SMB (445), and Telnet (23) if not required.
4. Restrict administrative interfaces to internal networks or VPN-only access.
5. Implement a recovery plan to maintain and retain multiple copies of sensitive or proprietary data and servers in a physically separate, segmented, and secure location.
6. Disable command-line and scripting activities and permissions.
7. Use Windows AppLocker or EDR solutions to block unauthorized executables.
8. Block the IOCs at their respective controls.

Source:

• https://www.virustotal.com/gui/collection/37aa67affb64194b2c8c3a69818ec0e9be87e2430ac5ddc36d7e25299c759d33/
• https://www.cisa.gov/news-events/cybersecurity-advisories/aa25-071a

Enjoyed reading this Threat Intelligence Advisory? Stay updated with our latest exclusive content by following us on Twitter and LinkedIn.

No related posts found.