Dark Web Profile: Medusa Ransomware (MedusaLocker) – SOCRadar® Cyber Intelligence Inc.

In ancient Greek mythology, Medusa stands as one of the most iconic and feared figures. With a head full of venomous snakes in place of hair, she had the power to turn anyone who gazed upon her into stone. This Gorgon, once a beautiful maiden, became synonymous with terror and dread. 

Fast forward to 2023, and the name Medusa has resurfaced, not in tales of mythology, but in the realm of cybersecurity. Medusa Ransomware, much like its mythological counterpart, paralyzes its victims, holding their data hostage and turning digital systems into metaphorical stone.

Fig. 1. Medusa Ransomware (MedusaLocker) threat actor card
Fig. 1. Medusa Ransomware (MedusaLocker) threat actor card

This article aims to shed light on the intricacies of this ransomware, offering a comprehensive understanding of its attacks, targets, and malicious endeavors.

Who is Medusa Ransomware Group?

Since its first sighting in June 2021, Medusa Ransomware (or MedusaLocker) has been on the radar of cybersecurity experts. Operating under the Ransomware-as-a-Service (RaaS) model, the Medusa Ransomware group collaborates with global affiliates, making its reach and impact even more widespread.

Fig. 2. Medusa Ransomware Illustration generated using Bing Image Create
Fig. 2. Medusa Ransomware Illustration generated using Bing Image Create

Medusa Ransomware is not just another name in the long list of ransomware threats; it is a multifaceted menace, much like the many serpentine tendrils of Medusa’s hair. Each encrypted file, bearing a variety of extensions, reminds us of the numerous snakes that crowned the Gorgon’s head. The most prominent among these is the unmistakable “.MEDUSA” extension, a signature mark of this ransomware’s venomous touch.

Some of the encrypted file extensions of Medusa Ransomware are:

.1btc

.mylock

.key1

.matlock20

.jpz.nz

.fileslocked

.marlock02

.marlock11

.datalock

.readinstructions

.cn

.NZ

.bec

.NET1

.lock

The reason why there are so many file extensions is probably because there are many more variants of Medusa Ransomware, or MedusaLocker, than other ransomware:

Fig. 3. Variants of Medusa Ransomware over the years (Source: Rakesh Krishnan)
Fig. 3. Variants of Medusa Ransomware over the years (Source: Rakesh Krishnan)

How does Medusa Ransomware Group attack?

Understanding Medusa’s attack strategy is crucial to devising countermeasures. The ransomware predominantly gains access to systems through vulnerable Remote Desktop Protocols (RDP) and deceptive phishing campaigns. Once it breaches a system, Medusa employs PowerShell for command execution, systematically erasing shadow copy backups to prevent data restoration. It does not stop there; the ransomware escalates its system privileges, deactivates defense mechanisms, and spreads its tentacles across the network. The culmination of its attack is the encryption of data and the presentation of a ransom note demanding payment in exchange for decryption.

Medusa Ransomware is observed using a few exploits from 2022:

Fig. 4. CVE’s used by Medusa Ransomware (Source: SOCRadar)
Fig. 4. CVE’s used by Medusa Ransomware (Source: SOCRadar)

To give an example, Medusa Ransomware exploited the “Type Confusion in V8 in Google Chrome” vulnerability, known as CVE-2022-2295 to launch its malicious attacks, which has high severity.

Fig. 5. CVE-2022-2295’s information card in SOCRadar XTI’s Vulnerability Intelligence page under the CTI module (Source: SOCRadar)
Fig. 5. CVE-2022-2295’s information card in SOCRadar XTI’s Vulnerability Intelligence page under the CTI module (Source: SOCRadar)

There are multiple variants of Medusa, and the main difference between these variants is the ransom note.

Fig. 6. One of the ransom notes of Medusa Ransomware (Source: ThreatLabz)
Fig. 6. One of the ransom notes of Medusa Ransomware (Source: ThreatLabz)

While some ransom notes are in TXT format, others can be found in HTML files, it can be said that we have observed that the most current variants have HTML files.

Fig. 7. Ransom note of Medusa Ransomware which is in HTML format
Fig. 7. Ransom note of Medusa Ransomware which is in HTML format

Looking at the various variants of Medusa, we observed that they have the same process trees:

Fig. 8. Process trees of two different Medusa Ransomware Variants (Source: any.run)
Fig. 8. Process trees of two different Medusa Ransomware Variants (Source: any.run)
Fig. 9. To access IoCs about Medusa ransomware, also known as MedusaLocker, you can visit the Threat Actor/Malware page under the SOCRadar CTI module (Source: SOCRadar)
Fig. 9. To access IoCs about Medusa ransomware, also known as MedusaLocker, you can visit the Threat Actor/Malware page under the SOCRadar CTI module (Source: SOCRadar)

A Quick Look into Medusa Blog

Medusa Ransomware group shares their victim announcements via Medusa Blog. The header of the page shows Telegram and Twitter links in addition to their logos.

Fig. 10. Main page of Medusa Blog
Fig. 10. Main page of Medusa Blog

Some variants have contact information in their Ransom note, which includes an email called “information support”, as well as a Telegram channel with the same name, through which they share the leaked data of their victims:

Fig. 11. Medusa Ransomware’s Telegram Channel info and latest message contains Leaked Files
Fig. 11. Medusa Ransomware’s Telegram Channel info and latest message contains Leaked Files

When clicking on the victim announcement, the victim’s announcement page opens. At the top of the page there is a countdown timer if the data has not been leaked, otherwise it says “PUBLISHED”.

Fig. 12. Information page of Ace Micromatic Group, one of Medusa Ransomware’s victim, in Medusa Blog
Fig. 12. Information page of Ace Micromatic Group, one of Medusa Ransomware’s victim, in Medusa Blog

The rest of the page contains screenshots of the data Medusa added as evidence and an interactive file explorer.

Fig. 13.  One of Medusa’s sample data and interactive file explorer panel of victim data
Fig. 13.  One of Medusa’s sample data and interactive file explorer panel of victim data

What are the targets of Medusa Ransomware?

Countries

Considering the countries where the companies attacked by Medusa are located, we infer that the majority of the attacks are in North and South America and Europe.

Fig. 14. Countries affected by Medusa Ransomware (Source: SOCRadar)
Fig. 14. Countries affected by Medusa Ransomware (Source: SOCRadar)

Among the countries where the companies targeted by Medusa are located, the majority is the United States, followed by the United Kingdom, which is targeted more than any other country.

Fig. 15. Distribution of Countries affected by Medusa Ransomware (Source: SOCRadar)
Fig. 15. Distribution of Countries affected by Medusa Ransomware (Source: SOCRadar)

Industries

Fig. 16. Distribution of Industries affected by Medusa Ransomware (Source: SOCRadar)
Fig. 16. Distribution of Industries affected by Medusa Ransomware (Source: SOCRadar)

It should also be known that Medusa’s targets are not random; they are carefully chosen for maximum impact. One of its most audacious attacks was against the Minneapolis school district in March 2023. The ransomware group demanded a staggering $1 million, and when the district refused, they retaliated by releasing the stolen data on their TOR site. This incident is a testament to Medusa’s strategy of targeting corporate entities and institutions, ensuring that its attacks create ripples in the global community.

What are the recent activities of Medusa Ransomware?

According to observations, it is possible to say that the Medusa Ransomware group has recently targeted organizations operating in the sector that we can define as Public Administration in Europe.

The International Civil Defense Organization:

Fig. 17. ICDO’s victim announcement card
Fig. 17. ICDO’s victim announcement card

Sartrouville France:

Fig. 18. Sartrouville France victim announcement card
Fig. 18. Sartrouville France victim announcement card

With the Dark Web News page in SOCRadar’s CTI Module, you can access the latest news about the Medusa Ransomware.

Fig. 19. Dark Web News page of Medusa Ransomware (Source:SOCRadar)
Fig. 19. Dark Web News page of Medusa Ransomware (Source:SOCRadar)

Conclusion

The rise of Medusa Ransomware underscores the evolving nature of cyber threats. Its sophisticated attack vectors, combined with a collaborative RaaS model, make it a significant concern for organizations. As it continues to target and compromise corporate entities, the need for robust cybersecurity measures has never been more paramount.

Security Recommendations against Medusa Ransomware

  • Robust Authentication: Implementing strong, unique passwords and multi-factor authentication can act as the first line of defense.
  • Regular Audits: Periodically review user accounts, deactivating unused ones, and ensuring that access controls are stringent.
  • Software Vigilance: Keeping all software updated can shield against vulnerabilities that ransomware often exploits.
  • Data Backups: Regular backups, especially offline ones, can be a lifesaver, ensuring data availability even after an attack.
  • Proactive Cybersecurity: Whether it’s an in-house IT team or an outsourced cybersecurity service, continuous monitoring and vulnerability assessments are crucial.
  • Emergency Response Blueprint: A well-documented plan detailing the steps post a ransomware attack can expedite recovery and minimize damage.
  • Continuous Education: Keeping employees informed about the latest ransomware threats and safe online practices can prevent inadvertent breaches.

MITRE ATT&CK TTPs of Medusa Ransomware

Technique

ID

Initial Access

Valid Accounts

T1078

Phishing

T1566

External Remote Services

T1133

Execution

Command and Scripting Interpreter: PowerShell

T1059.001

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Privilege Escalation

Abuse Elevation Control Mechanism: Bypass User Account Control

T1548.002

Defense Evasion

Impair Defenses: Disable or Modify Tools

T1562.001

Impair Defenses: Safe Mode Boot

T1562.009

Credential Access

Brute Force

T1110

Discovery

File and Directory Discovery

T1083

Network Share Discovery

T1135

Query Registry

T1012

Lateral Movement

Remote Services

T1021

Command and Control

Ingress Tool Transfer

T1105

Application Layer Protocol: Web Protocols

T1071.001

Exfiltration

Exfiltration Over Alternative Protocol

T1048

Impact

Service Stop

T1489

Appendix

IoCs of Medusa Ransomware

Ransom Note Name

how_to_recover_data.html

Ransom Note Name

instructions.html

Ransom Note Name

READINSTRUCTION.html

Ransom Note Name

!!!HOW_TO_DECRYPT!!!

Ransom Note Name

How_to_recovery.txt

Ransom Note Name

readinstructions.html

Ransom Note Name

readme_to_recover_files

Ransom Note Name

recovery_instructions.html

Ransom Note Name

HOW_TO_RECOVER_DATA.html

Ransom Note Name

recovery_instruction.html

Payment Wallet

14oxnsSc1LZ5M2cPZeQ9rFnXqEvPCnZikc

Payment Wallet

1DRxUFhvJjGUdojCzMWSLmwx7Qxn79XbJq

Payment Wallet

18wRbb94CjyTGkUp32ZM7krCYCB9MXUq42

Payment Wallet

1AbRxRfP6yHePpi7jmDZkS4Mfpm1ZiatH5

E-Mail Address

unlockmeplease@protonmail[.]com

E-Mail Address

support@exorints[.]com

E-Mail Address

rpd@keemail[.]me

E-Mail Address

lockPerfection@gmail[.]com

E-Mail Address

ithelp01@wholeness[.]business

E-Mail Address

777decoder777@protonmail[.]com

E-Mail Address

dec_helper@excic[.]com

E-Mail Address

dec_restore@prontonmail[.]com

E-Mail Address

bitcoin@sitesoutheat[.]com

E-Mail Address

best666decoder@tutanota[.]com

E-Mail Address

best666decoder@protonmail[.]com

E-Mail Address

encrypt2020@outlook[.]com

E-Mail Address

decoder83540@cock[.]li

E-Mail Address

gsupp@onionmail[.]org

E-Mail Address

encrypt2020@cock[.]li

E-Mail Address

best666decoder@protonmail[.]com

E-Mail Address

helper@atacdi[.]com

E-Mail Address

ithelp@decorous[.]cyou

E-Mail Address

helptorestore@outlook[.]com

Source: https://socradar.io/dark-web-profile-medusa-ransomware-medusalocker/