The MiraiOriginated Medusa Botnet Has Returned with the Ability to Carry Out Ransomware Attacks

Researchers have discovered a new version of the Medusa malware, which is based on the Mirai botnet code. This version has been available on dark web marketplaces since 2015 and has the ability to launch DDoS attacks using the HTTP protocol. It also has a ransomware module and a Telnet brute-forcer. The ransomware module checks all directories for valid file types to encrypt, and then adds the .Medusastealer extension to the encrypted files. It then displays a ransom message demanding 0.5 BTC, but this appears to be a flaw in the code as it deletes all files on the system disks, preventing victims from using their systems and reading the ransom message. The malware also has a data exfiltration tool that collects system data to identify victims and estimate resources for mining and DDoS attacks. It also has a brute forcer that attempts to get into targets systems by guessing their passwords repeatedly. It then uses the Zmap command to locate other devices running Telnet services on port 23 and attempts to establish a connection with those machines. If successful, it drops its main payload on the victims machine. There is also unfinished support for the FivemBackdoor and Sshlogin commands in the final Medusa payload.

This Cyber News was published on heimdalsecurity.com. Publication date: Wed, 08 Feb 2023 16:26:03 +0000


Cyber News related to The MiraiOriginated Medusa Botnet Has Returned with the Ability to Carry Out Ransomware Attacks

Medusa Ransomware Turning Your Files into Stone - Unit 42 Threat Intelligence analysts have noticed an escalation in Medusa ransomware activities and a shift in tactics toward extortion, characterized by the introduction in early 2023 of their dedicated leak site called the Medusa Blog. The Unit 42 ...
1 year ago Unit42.paloaltonetworks.com Medusa
10 Best Ransomware Protection Tools - 2025 - It protects devices from ransomware and other cyber threats using advanced threat intelligence, behavioral analysis, and cloud-based technology. It monitors and prevents ransomware assaults on personal files and automatically restores encrypted ...
2 weeks ago Cybersecuritynews.com
Medusa Ransomware Attacks Grown By 42% With New Tools & Techniques - Following the pattern of most modern ransomware operators, Spearwing and its affiliates implement double extortion attacks, first stealing victims’ data before encrypting networks to increase pressure on victims to pay ransoms. In almost all ...
1 day ago Cybersecuritynews.com LockBit Medusa
300 Strikes: Fort Worth's Battle Against the Medusa Gang - In the wake of a cyberattack on Tarrant County Appraisal District in March, the Medusa ransomware gang has claimed responsibility for the hack and has threatened the public with the threat of leaking 218 GB of the stolen data unless the ransom of ...
10 months ago Cysecurity.news Medusa
Medusa Ransomware Unleashes New Tactics: Data Sale, Time Extension, and AI Threats - In the ever-evolving landscape of cyber threats, Medusa Ransomware has taken a bold step by launching a dedicated blog to publish victim details, offering a chilling one-click data sale for $10,000. This notorious group, distinct from Medusa Locker ...
1 year ago Cybersecurity-insiders.com Medusa
The Top 10 Ransomware Groups of 2023 - This article takes an in-depth look at the rise in ransomware attacks over the past year and the criminal groups driving the surge in cyber extortion. LockBit has established itself as one of the most notorious ransomware operations since emerging on ...
1 year ago Securityboulevard.com TA505 8base LockBit BianLian Medusa Noescape Black Basta
The MiraiOriginated Medusa Botnet Has Returned with the Ability to Carry Out Ransomware Attacks - Researchers have discovered a new version of the Medusa malware, which is based on the Mirai botnet code. This version has been available on dark web marketplaces since 2015 and has the ability to launch DDoS attacks using the HTTP protocol. It also ...
2 years ago Heimdalsecurity.com Medusa
Hive Ransomware: A Detailed Analysis - This past week, on January 26th, to be exact, the FBI successfully shut down the Hive ransomware group and saved victims over a hundred million dollars in ransom payments and remediation costs. As ransomware continues to be a national security threat ...
2 years ago Heimdalsecurity.com LockBit
The Week in Ransomware - This week was pretty quiet on the ransomware front, with most of the attention on the seizure of the BreachForums data theft forum. That does not mean there was nothing of interest released this week about ransomware. A report by CISA said that the ...
9 months ago Bleepingcomputer.com LockBit Inc ransom Black Basta
Stealthy KV-botnet hijacks SOHO routers and VPN devices - The Chinese state-sponsored APT hacking group known as Volt Typhoon has been linked to a sophisticated botnet named 'KV-botnet' since at least 2022 to attack SOHO routers in high-value targets. Volt Typhoon commonly targets routers, firewalls, and ...
1 year ago Bleepingcomputer.com Volt Typhoon
Feds Disrupt Botnet Used by Russian APT28 Hackers - Federal law enforcement kicked Russian state hackers off a botnet comprising at least hundreds of home office and small office routers that had been pulled together by a cybercriminal group and co-opted by the state-sponsored spies. APT28, an ...
1 year ago Securityboulevard.com Fancy Bear APT28 Volt Typhoon
Ransomware's Impact May Include Heart Attacks, Strokes & PTSD - First-order harms: Direct targets of ransomware attacks. The increasing convergence of IT and OT leave physical infrastructures more vulnerable to ransomware, even though most ransomware operators lack the capability to directly compromise OT or ...
1 year ago Techrepublic.com
The year of Mega Ransomware attacks with unprecedented impact on global organizations - A Staggering 1 in every 10 organizations worldwide hit by attempted Ransomware attacks in 2023, surging 33% from previous year, when 1 in every 13 organisations received ransomware attacks Throughout 2023, organizations around the world have each ...
1 year ago Blog.checkpoint.com
New Vo1d botnet variant infects 1.6 million Android TVs worldwide - A new variant of the Vo1d malware botnet has infected 1,590,299 Android TV devices across 226 countries, recruiting devices as part of anonymous proxy server networks. The Vo1d botnet is a multi-purpose cybercrime tool that turns compromised devices ...
1 week ago Bleepingcomputer.com
Vo1d malware botnet grows to 1.6 million Android TVs worldwide - A new variant of the Vo1d malware botnet has grown to 1,590,299 infected Android TV devices across 226 countries, recruiting devices as part of anonymous proxy server networks. The Vo1d botnet is a multi-purpose cybercrime tool that turns compromised ...
1 week ago Bleepingcomputer.com
Ransomware in 2023 recap: 5 key takeaways - This provides the best overall picture of ransomware activity, but the true number of attacks is far higher. While some ransomware trends hardly changed over the last year, such as LockBit's continued dominance, ransomware criminals also challenged ...
1 year ago Malwarebytes.com Scattered Spider LockBit
Massive 911 S5 Botnet Dismantled, Chinese Mastermind Arrested - The US Justice Department announced on Wednesday that the massive 911 S5 proxy botnet has been dismantled and its alleged administrator, a Chinese national, has been arrested. The Treasury Department earlier this week announced sanctions against ...
9 months ago Packetstormsecurity.com
"Largest Botnet Ever" Disrupted. 911 S5's Alleged Mastermind Arrested - A vast network of millions of compromised computers, being used to facilitate a wide range of cybercrime, has been disrupted by a multinational law enforcement operation. 35-year-old YunHe Wang, a dual citizen of China and St. Kitts and Nevis, is ...
9 months ago Tripwire.com
Ransomware Roundup - The Ransomware Roundup report aims to provide readers with brief insights into the evolving ransomware landscape and the Fortinet solutions that protect against those variants. This edition of the Ransomware Roundup covers the 8base ransomware. 8base ...
1 year ago Feeds.fortinet.com 8base
Ransomware trends and recovery strategies companies should know - Ransomware attacks can have severe consequences, causing financial losses, reputational damage, and operational disruptions. The methods used to deliver ransomware vary, including phishing emails, malicious websites, and exploiting vulnerabilities in ...
1 year ago Helpnetsecurity.com
Botnet sent millions of emails in LockBit Black ransomware campaign - Since April, millions of phishing emails have been sent through the Phorpiex botnet to conduct a large-scale LockBit Black ransomware campaign. As New Jersey's Cybersecurity and Communications Integration Cell warned on Friday, the attackers use ZIP ...
9 months ago Bleepingcomputer.com LockBit Black Basta
Toyota confirms breach after Medusa ransomware threatens to leak data - Toyota Financial Services has confirmed that it detected unauthorized access on some of its systems in Europe and Africa after Medusa ransomware claimed an attack on the company. Toyota Financial Services, a subsidiary of Toyota Motor Corporation, is ...
1 year ago Bleepingcomputer.com LockBit Rhysida Medusa
Best Ransomware Protection Practices for Midsize Organizations - Ransomware Protection has emerged as a crucial step in cybersecurity since ransomware attacks have become a major threat to businesses of all sizes, including midsize organizations. Ransomware attacks can be delivered via email attachments or links, ...
1 year ago Securityboulevard.com
The Week in Ransomware - Earlier this month, the BlackCat/ALPHV ransomware operation suffered a five-day disruption to their Tor data leak and negotiation sites, rumored to be caused by a law enforcement action. The FBI revealed this week that they hacked the BlackCat/ALPHV ...
1 year ago Bleepingcomputer.com LockBit Akira Noescape
The Week in Ransomware - An international law enforcement operation claims to have dismantled a ransomware affiliate operation in Ukraine, which was responsible for attacks on organizations in 71 countries. The threat actors are said to be affiliates of numerous ransomware ...
1 year ago Bleepingcomputer.com Qilin Cactus Black Basta