CyberSecurityBoard
Sponsor Register Login

Researchers Deanonymized Medusa Ransomware Group's Onion Site

The server is hosted on a network routed via SELECTEL in Russia (AS49505) and runs Ubuntu Linux with OpenSSH 8.9p1. The server exposes three services: SSH on port 22, HTTP on port 80, and an additional HTTP service on port 3000. Most notably, the standard SSH port remained open with password authentication enabled rather than key-based authentication, and the HTTP service on port 3000 directly exposed the Medusa Locker Group’s victim negotiation portal. This exposure represents a rare instance where cybercriminal operations protected by the anonymity of the Tor network have been compromised through technical vulnerabilities rather than operational security mistakes. Cyber Security News is a Dedicated News Platform For Cyber News, Cyber Attack News, Hacking News & Vulnerability Analysis. Their typical modus operandi includes operating a Tor-based leak site where they publish sensitive data stolen from victims who refuse to pay ransom demands, creating a double-extortion pressure tactic that has proven effective against many organizations. Covsec researchers identified a critical vulnerability in Medusa’s ransomware blog platform that allowed them to bypass the protections afforded by the Tor network. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news. The Medusa Ransomware Group, which has operated with relative anonymity through Tor hidden services, has had its cover blown through a sophisticated exploitation of vulnerabilities in their own infrastructure. The exploitation process leveraged a vulnerability in the blog platform used by the Medusa group to showcase their victims. Tushar is a Cyber security content editor with a passion for creating captivating and informative content. The exposed server demonstrates poor security configurations that contributed to the successful deanonymization. Researchers have uncovered the true identity of servers hosting one of the most notorious ransomware operations active today. This simple command, when executed on the compromised server, returned the actual external IP address rather than the onion routing address.

This Cyber News was published on cybersecuritynews.com. Publication date: Wed, 16 Apr 2025 19:00:09 +0000


Cyber News related to Researchers Deanonymized Medusa Ransomware Group's Onion Site

Medusa Ransomware Turning Your Files into Stone - Unit 42 Threat Intelligence analysts have noticed an escalation in Medusa ransomware activities and a shift in tactics toward extortion, characterized by the introduction in early 2023 of their dedicated leak site called the Medusa Blog. The Unit 42 ...
1 year ago Unit42.paloaltonetworks.com Medusa
10 Best Ransomware Protection Tools - 2025 - It protects devices from ransomware and other cyber threats using advanced threat intelligence, behavioral analysis, and cloud-based technology. It monitors and prevents ransomware assaults on personal files and automatically restores encrypted ...
1 month ago Cybersecuritynews.com
10 Best Ransomware File Decryptor Tools in 2025 - Kaspersky Rakhni Decryptor contains different decryption tools based on various versions of Rakhni ransomware and helps you decrypt encrypted files on your system. PyLocky Ransomware Decryption Tool is a free and open source developed and released by ...
1 week ago Cybersecuritynews.com
Medusa Ransomware Attacks Grown By 42% With New Tools & Techniques - Following the pattern of most modern ransomware operators, Spearwing and its affiliates implement double extortion attacks, first stealing victims’ data before encrypting networks to increase pressure on victims to pay ransoms. In almost all ...
1 month ago Cybersecuritynews.com LockBit Medusa
Researchers Deanonymized Medusa Ransomware Group's Onion Site - The server is hosted on a network routed via SELECTEL in Russia (AS49505) and runs Ubuntu Linux with OpenSSH 8.9p1. The server exposes three services: SSH on port 22, HTTP on port 80, and an additional HTTP service on port 3000. Most notably, the ...
2 days ago Cybersecuritynews.com Medusa Ransomware blog
Key Group uses leaked builders of ransomware and wipers | Securelist - The first discovered sample of Key Group, the Xorist ransomware, established persistence in the system by changing file extension associations. The .huis_bn extension added to encrypted files in the early versions of Key Group samples, Xorist and ...
6 months ago Securelist.com
Medusa Ransomware Unleashes New Tactics: Data Sale, Time Extension, and AI Threats - In the ever-evolving landscape of cyber threats, Medusa Ransomware has taken a bold step by launching a dedicated blog to publish victim details, offering a chilling one-click data sale for $10,000. This notorious group, distinct from Medusa Locker ...
1 year ago Cybersecurity-insiders.com Medusa
The Top 10 Ransomware Groups of 2023 - This article takes an in-depth look at the rise in ransomware attacks over the past year and the criminal groups driving the surge in cyber extortion. LockBit has established itself as one of the most notorious ransomware operations since emerging on ...
1 year ago Securityboulevard.com TA505 8base LockBit BianLian Medusa Noescape Black Basta
300 Strikes: Fort Worth's Battle Against the Medusa Gang - In the wake of a cyberattack on Tarrant County Appraisal District in March, the Medusa ransomware gang has claimed responsibility for the hack and has threatened the public with the threat of leaking 218 GB of the stolen data unless the ransom of ...
1 year ago Cysecurity.news Medusa
CISA: Medusa ransomware hit over 300 critical infrastructure orgs - Last month, CISA and the FBI issued another joint alert warning that victims from multiple industry sectors across over 70 countries, including critical infrastructure, have been breached in Ghost ransomware attacks. "As of February 2025, ...
1 month ago Bleepingcomputer.com Medusa
Medusa Ransomware Hacked 300+ Organizations Worldwide from Variety of Critical Infrastructure - In a particularly concerning development, FBI investigations uncovered instances where victims who paid the initial ransom were subsequently contacted by different Medusa actors claiming the first negotiator had stolen the payment, demanding an ...
1 month ago Cybersecuritynews.com Medusa
NCC Group records the most ransomware victims ever in 2023 - While coordinated law enforcement action and government initiatives helped in the fight against ransomware last year, NCC Group still recorded an 84% increase in attacks during 2023. The report included data from NCC Group's Cyber Incident Response ...
1 year ago Techtarget.com Rocke 8base LockBit BianLian Medusa
Hive Ransomware: A Detailed Analysis - This past week, on January 26th, to be exact, the FBI successfully shut down the Hive ransomware group and saved victims over a hundred million dollars in ransom payments and remediation costs. As ransomware continues to be a national security threat ...
2 years ago Heimdalsecurity.com LockBit
CISA: More than 300 critical infrastructure orgs attacked by Medusa ransomware | The Record from Recorded Future News - “FBI investigations identified that after paying the ransom, one victim was contacted by a separate Medusa actor who claimed the negotiator had stolen the ransom amount already paid and requested half of the payment be made again to provide the ...
1 month ago Therecord.media CVE-2024-1709 Medusa
Researchers link 3AM ransomware to Conti, Royal cybercrime gangs - Security researchers analyzing the activity of the recently emerged 3AM ransomware operation uncovered close connections with infamous groups, such as the Conti syndicate and the Royal ransomware gang. The 3AM ransomware gang's activity was first ...
1 year ago Bleepingcomputer.com Blacksuit LockBit Threeam
Cybercrime experts reveal how to infiltrate ransomware gangs The Register - Though it happens rarely, it's always a good day when a ransomware group is taken down by law enforcement. Singapore-based Group-IB celebrated its 20th anniversary in the cybersecurity industry this year, and during this time its researchers have ...
1 year ago Go.theregister.com Qilin
Cybercrime experts reveal how to infiltrate ransomware gangs The Register - Though it happens rarely, it's always a good day when a ransomware group is taken down by law enforcement. Singapore-based Group-IB celebrated its 20th anniversary in the cybersecurity industry this year, and during this time its researchers have ...
1 year ago Theregister.com Qilin
Ransomware Roundup - The Ransomware Roundup report aims to provide readers with brief insights into the evolving ransomware landscape and the Fortinet solutions that protect against those variants. This edition of the Ransomware Roundup covers the 8base ransomware. 8base ...
1 year ago Feeds.fortinet.com 8base
Top 10 Notorious Ransomware Gangs of 2023 - By employing a multitude of advanced techniques like double extortion along with other illicit tactics, ransomware groups are continually evolving at a rapid pace. Here below, we have mentioned all the types of ransomware used by the threat actors ...
1 year ago Cybersecuritynews.com LockBit BianLian Everest Ragnar Locker Black Basta
Waiting for the BlackCat rebrand - We saw another ransomware operation shut down this week after first getting breached by law enforcement and then targeting critical infrastructure, putting them further in the spotlight of the US government. While the Tor onion domain seizure was a ...
1 year ago Bleepingcomputer.com Medusa Cuba STORMOUS
Medusa Ransomware Claims NASCAR Hack, Demands $4 Million Ransom - The Medusa ransomware group has reportedly launched a major cyberattack on the National Association for Stock Car Auto Racing (NASCAR), demanding a $4 million ransom to prevent the release of sensitive data. The Medusa ransomware group operates under ...
4 days ago Cybersecuritynews.com Medusa
The Week in Ransomware - An international law enforcement operation claims to have dismantled a ransomware affiliate operation in Ukraine, which was responsible for attacks on organizations in 71 countries. The threat actors are said to be affiliates of numerous ransomware ...
1 year ago Bleepingcomputer.com Qilin Cactus Black Basta
Toyota confirms breach after Medusa ransomware threatens to leak data - Toyota Financial Services has confirmed that it detected unauthorized access on some of its systems in Europe and Africa after Medusa ransomware claimed an attack on the company. Toyota Financial Services, a subsidiary of Toyota Motor Corporation, is ...
1 year ago Bleepingcomputer.com LockBit Rhysida Medusa
The Week in Ransomware - Governments struck back this week against members of ransomware operations, imposing sanctions on one threat actor and sentencing another to prison. On Tuesday, the Australian, US, and UK governments announced sanctions against Aleksandr Gennadievich ...
1 year ago Bleepingcomputer.com LockBit BianLian Akira Cactus
Targeting homeowners' data - As these companies obtain a large amount of sensitive information from their customers, they become attractive targets for ransomware gangs to conduct double-extortion attacks. Finland is also warning of Akira ransomware increasingly targeting ...
1 year ago Bleepingcomputer.com LockBit Akira

Latest Cyber News


Cyber Trends (last 7 days)


Trending Cyber News (last 7 days)