FOCUS MODE
EXTRACT IOC
Threat Research

Medusa Ransomware Activity Continues to Increase

Symantec
Medusa Ransomware Activity Continues to Increase
The article discusses the tools and tactics utilized by the Medusa ransomware group, Spearwing. It highlights various software and methods employed for data exfiltration, credential dumping, and maintaining persistence within victim networks. The consistency of their tactics suggests an organized operation, potentially indicating that Spearwing operates more as an individual group rather than a traditional Ransomware-as-a-Service (RaaS). The attack on a healthcare organization showcases the severity and capability of the Medusa ransomware, further emphasizing the challenges faced by targeted sectors. Affected: healthcare, financial, government, non-profits

Keypoints :

  • Spearwing uses various tools for database access, data exfiltration, and network scanning.
  • Medusa has maintained consistent tactics, techniques, and procedures (TTPs) since its emergence in 2023.
  • Commonly employed tools include AnyDesk, Navicat, Rclone, and RoboCopy.
  • The group targets large organizations across diverse sectors, primarily for financial gain.
  • Victims are given a deadline to pay ransoms, with penalties for late payments.
  • The ransom note displayed on encrypted systems is titled !READ_ME_MEDUSA!!!.txt.
  • There are no established links between Medusa and other ransomware groups, despite some shared tools.
  • The group’s operations suggest they may not be a typical RaaS, but rather a tight-knit organization.

MITRE Techniques :

  • TA0001 – Initial Access: Methods of accessing the network are currently unknown but occurred prior to ransomware deployment.
  • TA0002 – Execution: Tools such as AnyDesk and PDQ Deploy were used to execute commands on victim machines.
  • TA0003 – Persistence: The installation of SimpleHelp, Mesh Agent, and credential dumping tools helped maintain a presence on infected systems.
  • TA0004 – Privilege Escalation: Credential dumping through ntds.dit allowed attackers to escalate privileges on the network.
  • TA0005 – Defense Evasion: KillAV and KillAVDriver were utilized to terminate security processes during the attack.
  • TA0006 – Credential Access: Credential dumping via accessing the ntds.dit file was performed during the attack.
  • TA0009 – Exfiltration: The use of Rclone enabled attackers to exfiltrate data from compromised networks.
  • TA0007 – Impact: Deployment of ransomware resulted in file encryption and demand for ransom payment.

Indicator of Compromise :

  • [File Name] gaze.exe
  • [Ransom Note] !READ_ME_MEDUSA!!!.txt
  • [File Name] lsp.exe
  • [File Name] mx.exe
  • [File Name] anydesk.exe

Full Story: https://symantec-enterprise-blogs.security.com/threat-intelligence/medusa-ransomware-attacks

Tags: FINANCIAL, WINDOWS, CREDENTIAL, IMPACT, INITIAL ACCESS, TOOL, DISCOVERY, GOVERNMENT