Medusa Ransomware Turning Your Files into Stone

Unit 42 Threat Intelligence analysts have noticed an escalation in Medusa ransomware activities and a shift in tactics toward extortion, characterized by the introduction in early 2023 of their dedicated leak site called the Medusa Blog.
The Unit 42 Incident Response team has also responded to a Medusa ransomware incident, which has allowed us to uncover interesting tactics, tools and procedures used by Medusa threat actors.
Palo Alto Networks customers are better protected against ransomware used by the Medusa ransomware group through Cortex XDR, as well as from the WildFire Cloud-Delivered Security Services for the Next-Generation Firewall.
In particular, the Cortex XDR agent included out-of-the-box protections that prevented adverse behavior from Medusa ransomware samples we tested without the need for specific detection logic or signatures.
Cortex Xpanse can be used to detect vulnerable services exposed directly to the internet that may be exploitable and infected with Medusa or other ransomware.
The Medusa ransomware group predominantly propagates its ransomware through the exploitation of vulnerable services and hijacking of legitimate accounts, often utilizing initial access brokers for infiltration.
Ransomware groups like Medusa aim to build a brand and reputation, and creating such videos helps to reinforce their image as a formidable threat and enhance their credibility.
For our analysis, we have been focusing on Medusa ransomware samples observed in 2023.
Based on their leak site, Medusa ransomware possibly impacted 74 organizations worldwide in 2023.
Medusa ransomware attacks exhibit a substantial international footprint.
The pre-ransomware techniques provide interesting clues to common themes across ransomware groups as well as more unique developments in tradecraft by the Medusa ransomware operators.
Unit 42 researchers observed Medusa ransomware operators uploading a webshell to an exploited Microsoft Exchange Server.
Unit 42 researchers observed Medusa ransomware operators dropping two kernel drivers for targeting different sets of security products.
Unit 42 researchers observed Medusa ransomware actors using the portable version of Netscan - with a novel twist.
The options in the menu shown in Figure 18 that end with Gaze show a naming convention used by Medusa ransomware related to the ransomware binary, and give insight into a technique for deploying Medusa ransomware.
Unit 42 observed a common theme in Medusa's ransomware binary that aligns with the mythology of Medusa herself: the use and inclusion of the term gaze in the debug path in PEStudio, as shown in Figure 19.
The Windows variant of Medusa ransomware can be run with 11 possible arguments, as shown below in Table 1.
Medusa ransomware uses RSA asymmetric encryption for protecting the AES256 key used for encrypting a victim's files.
The emergence of the Medusa ransomware in late 2022 and its notoriety in 2023 marks a significant development in the ransomware landscape.
Medusa ransomware stands as a significant threat to organizations, demanding a more proactive and strong defensive strategy.


This Cyber News was published on unit42.paloaltonetworks.com. Publication date: Thu, 11 Jan 2024 14:13:43 +0000


Cyber News related to Medusa Ransomware Turning Your Files into Stone

Medusa Ransomware Turning Your Files into Stone - Unit 42 Threat Intelligence analysts have noticed an escalation in Medusa ransomware activities and a shift in tactics toward extortion, characterized by the introduction in early 2023 of their dedicated leak site called the Medusa Blog. The Unit 42 ...
9 months ago Unit42.paloaltonetworks.com
300 Strikes: Fort Worth's Battle Against the Medusa Gang - In the wake of a cyberattack on Tarrant County Appraisal District in March, the Medusa ransomware gang has claimed responsibility for the hack and has threatened the public with the threat of leaking 218 GB of the stolen data unless the ransom of ...
6 months ago Cysecurity.news
Medusa Ransomware Unleashes New Tactics: Data Sale, Time Extension, and AI Threats - In the ever-evolving landscape of cyber threats, Medusa Ransomware has taken a bold step by launching a dedicated blog to publish victim details, offering a chilling one-click data sale for $10,000. This notorious group, distinct from Medusa Locker ...
9 months ago Cybersecurity-insiders.com
The Top 10 Ransomware Groups of 2023 - This article takes an in-depth look at the rise in ransomware attacks over the past year and the criminal groups driving the surge in cyber extortion. LockBit has established itself as one of the most notorious ransomware operations since emerging on ...
9 months ago Securityboulevard.com
How to perform a proof of concept for automated discovery using Amazon Macie | AWS Security Blog - After reviewing the managed data identifiers provided by Macie and creating the custom data identifiers needed for your POC, it’s time to stage data sets that will help demonstrate the capabilities of these identifiers and better understand how ...
1 month ago Aws.amazon.com
Hive Ransomware: A Detailed Analysis - This past week, on January 26th, to be exact, the FBI successfully shut down the Hive ransomware group and saved victims over a hundred million dollars in ransom payments and remediation costs. As ransomware continues to be a national security threat ...
1 year ago Heimdalsecurity.com
A Cybersecurity Risk Assessment Guide for Leaders - Now more than ever, keeping your cyber risk in check is crucial. In the first half of 2022's Cyber Risk Index, 85% of the survey's 4,100 global respondents said it's somewhat to very likely they will experience a cyber attack in the next 12 months. ...
1 year ago Trendmicro.com
Ransomware Roundup - The Ransomware Roundup report aims to provide readers with brief insights into the evolving ransomware landscape and the Fortinet solutions that protect against those variants. This edition of the Ransomware Roundup covers the 8base ransomware. 8base ...
10 months ago Feeds.fortinet.com
Declining Ransomware Payments: Shift in Hacker Tactics? - Several cybersecurity advisories and agencies recommend not caving into ransomware gangs' demands and paying their ransoms. It seems the tide is turning, with a decline in ransomware payments; this article explores the trend and what it might mean ...
8 months ago Securityboulevard.com
Toyota confirms breach after Medusa ransomware threatens to leak data - Toyota Financial Services has confirmed that it detected unauthorized access on some of its systems in Europe and Africa after Medusa ransomware claimed an attack on the company. Toyota Financial Services, a subsidiary of Toyota Motor Corporation, is ...
11 months ago Bleepingcomputer.com
Defend Your Business: Testing Your Security Against QakBot and Black Basta Ransomware - Advertising presented to you on this service can be based on limited data, such as the website or app you are using, your non-precise location, your device type or which content you are interacting with. Information about your activity on this ...
5 months ago Securityboulevard.com
How to Temporarily Deactivate Instagram? - Instagram is an amazing social platform where you can stay in touch with your friends and influencers, but sometimes it can be too much. If Instagram has become too distracting or overwhelming for you to use effectively-whether for mental peace, ...
10 months ago Hackercombat.com
Spider-Man 2 Developer Insomniac Games Hit by Rhysida Ransomware - Cookies, device or similar online identifiers together with other information can be stored or read on your device to recognise it each time it connects to an app or to a website, for one or several of the purposes presented here. Advertising ...
10 months ago Hackread.com
China Arrests 4 Who Weaponized ChatGPT for Ransomware Attacks - Cookies, device or similar online identifiers together with other information can be stored or read on your device to recognise it each time it connects to an app or to a website, for one or several of the purposes presented here. Advertising ...
10 months ago Hackread.com
US Man Jailed 8 Years for SIM Swapping and Apple Support Impersonation - Advertising presented to you on this service can be based on limited data, such as the website or app you are using, your non-precise location, your device type or which content you are interacting with. Information about your activity on this ...
11 months ago Hackread.com
Is it possible to use an external SSD to speed up your Mac - Cookies, device or similar online identifiers together with other information can be stored or read on your device to recognise it each time it connects to an app or to a website, for one or several of the purposes presented here. Advertising ...
9 months ago Hackread.com
What is Biometric Security? Your Body Becomes Your Key - Advertising presented to you on this service can be based on limited data, such as the website or app you are using, your non-precise location, your device type or which content you are interacting with. Information about your activity on this ...
9 months ago Hackersonlineclub.com
MGM sues FTC to halt probe into ransomware infection The Register - Advertising presented to you on this service can be based on limited data, such as the website or app you are using, your non-precise location, your device type or which content you are interacting with. Information about your activity on this ...
6 months ago Go.theregister.com
Volkswagen Goes AI, Integrates ChatGPT into its Vehicles - Cookies, device or similar online identifiers together with other information can be stored or read on your device to recognise it each time it connects to an app or to a website, for one or several of the purposes presented here. Advertising ...
9 months ago Hackread.com
New Rust-Based macOS Backdoor Steals Files, Linked to Ransomware Groups - Advertising presented to you on this service can be based on limited data, such as the website or app you are using, your non-precise location, your device type or which content you are interacting with. Information about your activity on this ...
8 months ago Hackread.com
How to Protect Your Business from Ransomware Attacks – Insights from a KFC & Pizza Hut Attack in the UK - This summer, ransomware attackers successfully hacked into the computer systems of KFC and Pizza hut stores in the UK. ...
1 year ago Bitdefender.com
Ransomware trends and recovery strategies companies should know - Ransomware attacks can have severe consequences, causing financial losses, reputational damage, and operational disruptions. The methods used to deliver ransomware vary, including phishing emails, malicious websites, and exploiting vulnerabilities in ...
10 months ago Helpnetsecurity.com
The Evolving Landscape of Ransomware Attacks - 1.7 million ransomware attacks are happening every day. Many people think the virus has locked their computer, but it is actually the ransomware that has locked all their files. As the name ransomware suggests they are after ransom. Stealing or ...
10 months ago Cyberdefensemagazine.com
P2Pinfect Malware Deploy Ransomware Windows Via SSH - Advertising presented to you on this service can be based on limited data, such as the website or app you are using, your non-precise location, your device type or which content you are interacting with. Information about your activity on this ...
4 months ago Cybersecuritynews.com

Latest Cyber News


Cyber Trends (last 7 days)


Trending Cyber News (last 7 days)