Unit 42 Threat Intelligence analysts have noticed an escalation in Medusa ransomware activities and a shift in tactics toward extortion, characterized by the introduction in early 2023 of their dedicated leak site called the Medusa Blog.
The Unit 42 Incident Response team has also responded to a Medusa ransomware incident, which has allowed us to uncover interesting tactics, tools and procedures used by Medusa threat actors.
Palo Alto Networks customers are better protected against ransomware used by the Medusa ransomware group through Cortex XDR, as well as from the WildFire Cloud-Delivered Security Services for the Next-Generation Firewall.
In particular, the Cortex XDR agent included out-of-the-box protections that prevented adverse behavior from Medusa ransomware samples we tested without the need for specific detection logic or signatures.
Cortex Xpanse can be used to detect vulnerable services exposed directly to the internet that may be exploitable and infected with Medusa or other ransomware.
The Medusa ransomware group predominantly propagates its ransomware through the exploitation of vulnerable services and hijacking of legitimate accounts, often utilizing initial access brokers for infiltration.
Ransomware groups like Medusa aim to build a brand and reputation, and creating such videos helps to reinforce their image as a formidable threat and enhance their credibility.
For our analysis, we have been focusing on Medusa ransomware samples observed in 2023.
Based on their leak site, Medusa ransomware possibly impacted 74 organizations worldwide in 2023.
Medusa ransomware attacks exhibit a substantial international footprint.
The pre-ransomware techniques provide interesting clues to common themes across ransomware groups as well as more unique developments in tradecraft by the Medusa ransomware operators.
Unit 42 researchers observed Medusa ransomware operators uploading a webshell to an exploited Microsoft Exchange Server.
Unit 42 researchers observed Medusa ransomware operators dropping two kernel drivers for targeting different sets of security products.
Unit 42 researchers observed Medusa ransomware actors using the portable version of Netscan - with a novel twist.
The options in the menu shown in Figure 18 that end with Gaze show a naming convention used by Medusa ransomware related to the ransomware binary, and give insight into a technique for deploying Medusa ransomware.
Unit 42 observed a common theme in Medusa's ransomware binary that aligns with the mythology of Medusa herself: the use and inclusion of the term gaze in the debug path in PEStudio, as shown in Figure 19.
The Windows variant of Medusa ransomware can be run with 11 possible arguments, as shown below in Table 1.
Medusa ransomware uses RSA asymmetric encryption for protecting the AES256 key used for encrypting a victim's files.
The emergence of the Medusa ransomware in late 2022 and its notoriety in 2023 marks a significant development in the ransomware landscape.
Medusa ransomware stands as a significant threat to organizations, demanding a more proactive and strong defensive strategy.
This Cyber News was published on unit42.paloaltonetworks.com. Publication date: Thu, 11 Jan 2024 14:13:43 +0000