In a particularly concerning development, FBI investigations uncovered instances where victims who paid the initial ransom were subsequently contacted by different Medusa actors claiming the first negotiator had stolen the payment, demanding an additional half of the original sum to provide the “true decryptor”—potentially indicating a triple extortion scheme. Analysts at CISA identified that Medusa actors employ sophisticated tactics to maintain persistence within victim networks, including the creation of domain accounts to preserve access to compromised systems. For lateral movement, Medusa actors deploy a variety of legitimate remote access software including AnyDesk, ConnectWise, and Splashtop, alongside malicious use of PsExec to execute commands across compromised networks. The federal advisory includes specific mitigations for organizations, emphasizing network segmentation, implementation of multi-factor authentication, regular patching of vulnerabilities, and maintenance of offline backups to minimize the impact of potential Medusa ransomware attacks. The Medusa ransomware variant, first identified in June 2021, operates as a ransomware-as-a-service (RaaS) model where developers recruit affiliates through cybercriminal forums, offering potential payments between $100 USD and $1 million USD for successful breaches. The ransomware component, identified as “gaze.exe,” terminates all services related to backups, security, databases, and communication before deleting shadow copies and encrypting files with AES-256 encryption. In one example documented in the advisory, threat actors use base64 encrypted commands with specific execution settings: “powershell -exec bypass -enc “. The investigation revealed that threat actors typically leverage initial access brokers (IABs) to gain entry into targeted networks through phishing campaigns and exploitation of unpatched vulnerabilities. Once inside networks, Medusa actors utilize living off the land techniques and legitimate system tools to avoid detection while conducting reconnaissance. Encrypted files receive a distinctive “.medusa” file extension, and ransom notes direct victims to make contact via Tor browser-based live chat or the encrypted Tox messaging platform. The attacks have targeted a wide array of industries including medical, education, legal, insurance, technology, and manufacturing sectors, demonstrating the threat actor’s broad operational focus and capabilities. A highly sophisticated ransomware variant named Medusa has compromised over 300 organizations worldwide from critical infrastructure sectors.
This Cyber News was published on cybersecuritynews.com. Publication date: Thu, 13 Mar 2025 07:10:09 +0000