Medusa Ransomware Turning Your Files into Stone

Executive Summary

Unit 42 Threat Intelligence analysts have noticed an escalation in Medusa ransomware activities and a shift in tactics toward extortion, characterized by the introduction in early 2023 of their dedicated leak site called the Medusa Blog. Medusa threat actors use this site to disclose sensitive data from victims unwilling to comply with their ransom demands.

As part of their multi-extortion strategy, this group will provide victims with multiple options when their data is posted on their leak site, such as time extension, data deletion or download of all the data. All of these options have a price tag depending on the organization impacted by this group.

A pictorial representation of the Medusa ransomware gang. A hand offers money to another hand holding keys. In the background is a computer screen with the biohazard symbol on it.

Besides their strategy of using an onion site for extortion, Medusa threat actors also leverage a public Telegram channel named “information support,” where files of compromised organizations have been shared publicly and are more accessible than traditional onion sites.

The Unit 42 Incident Response team has also responded to a Medusa ransomware incident, which has allowed us to uncover interesting tactics, tools and procedures used by Medusa threat actors.

Palo Alto Networks customers are better protected against ransomware used by the Medusa ransomware group through Cortex XDR, as well as from the WildFire Cloud-Delivered Security Services for the Next-Generation Firewall. In particular, the Cortex XDR agent included out-of-the-box protections that prevented adverse behavior from Medusa ransomware samples we tested without the need for specific detection logic or signatures. Prisma Cloud Defender Agents can monitor Windows virtual machine instances for known Medusa malware. Cortex Xpanse can be used to detect vulnerable services exposed directly to the internet that may be exploitable and infected with Medusa or other ransomware.

The Unit 42 Incident Response team can also be engaged to help with a compromise or to provide a proactive assessment to lower your risk.

Related Unit 42 TopicsRaaSRansomware

Table of Contents

Medusa Ransomware as a Service Overview
Medusa’s Prey: Understanding Victimology
Medusa’s Toolkit: Unraveling the Mythical Trade
Initial Access
Defense Evasion
Discovery and Reconnaissance
In-Depth Look Into Medusa’s Gaze
Conclusion
Protections and Mitigations
Indicators of Compromise
Appendix
Additional Resources

Medusa Ransomware as a Service Overview

Medusa surfaced as a ransomware-as-a-service (RaaS) platform in late 2022 and gained notoriety in early 2023, primarily targeting Windows environments. Medusa should not be confused with a similarly named RaaS, MedusaLocker, which has been available since 2019. Our analysis focuses solely on the Medusa ransomware, publicly known since 2023, which is impacting organizations’ Windows environments.

The Medusa ransomware group predominantly propagates its ransomware through the exploitation of vulnerable services (e.g., public-facing assets or applications with known unpatched vulnerabilities) and hijacking of legitimate accounts, often utilizing initial access brokers for infiltration. We will delve into the initial access strategies and more complex techniques they employ later in this article. We also observed that Medusa ransomware implements living-off-the-land techniques by using legitimate software for malicious purposes, which can often blend in with regular traffic and behavior, making it harder to flag such activities.

We have noticed a marked escalation in its activities, characterized by the introduction of the new Medusa Blog accessible through TOR on an .onion site released in early 2023. A screenshot of the Medusa Blog is shown below in Figure 1. This platform is used by the perpetrators to disclose sensitive data of victims unwilling to accede to their ransom demands.

Image 1 is a screenshot of the Medusa ransomware group leaksite. Some information is redacted. Icon of Medusa’s head. Medusa Blog. Links to Twitter and Telegram. Price tag. Countdown. Number of visitors. Description of victims. There is a magnifying glass icon to allow the end user to search.
Figure 1. Medusa Blog dedicated leak site.

As a multi-extortion operation, the Medusa ransomware operator’s announcements include the following points of information to pressure victims into paying the ransom:

  • Price tag: The amount displayed is what the affected organizations need to pay the group for them to delete the data from the site. (Unit 42 has observed Medusa being willing to negotiate with victims, like many ransomware groups. Any payments actually made may not directly match the pricing shown on the site.)
  • Countdown: The amount of time the impacted organizations have before the stolen data is released publicly and available to download.
  • Number of visitors: The number of post visitors, used in the negotiation strategy to pressure victims into paying.
  • Victim name and description: Identifiable information for the compromised organization.

The group’s posts also typically revealed evidence of compromise. They also offered various “choices” – arbitrary and at the whim of Medusa – to the affected organization aside from paying the primary ransom, as shown in Figure 2. These choices include the following:

  • A standard fee of $10,000 for a time extension to prevent data from being published on the site
  • A request for data deletion
  • A download option

The price for these second two services can differ from one organization to another.

Image 2 is a screenshot of the Medusa ransomware gang leak site. This blog post highlights a specific victim. Much of the information is redacted. A counter of days, hours, minutes and seconds is at the top. The prices for adding time for one day, deleting all the data or downloading all the data are offered. There is also the option to download the file trees.
Figure 2. Post on the Medusa Blog to a victim.

A recent post on the Medusa Blog shared a video that showed files of a compromised organization. This video features a title caption of “Medusa Media Team,” which we suspect is the branch of this group that handles their public brand (shown in Figure 3). We haven’t seen videos of victims’ files with each post on their site, so we are still unclear if this is going to be a trend. However, ransomware groups like Medusa aim to build a brand and reputation, and creating such videos helps to reinforce their image as a formidable threat and enhance their credibility.

Image 3 is a screenshot of a Medusa Media Team video. Capital text against what looks to be a ship’s wheel.
Figure 3. Screenshot of Medusa Media Team video.

This group does not just host a specialized leak site and videos for extortion purposes. They have also integrated links to Telegram and X (previously known as Twitter) on the Medusa Blog site. The Telegram channel used by Medusa is titled “information support,” and it is used to publicize and release data exfiltrated by the group. On the other hand, the link to X simply leads to a search result page for “Medusa ransomware.”

The Telegram channel was created in July 2021, and it contains some content from before the emergence of this group that relies on known public breaches. Unexpectedly, the channel is not Medusa ransomware-branded. Still, we observed posts in this channel leaking content related to Medusa’s compromises and even claims of meeting with representatives of this threat group. An example of this communication is shown below in Figure 4.

Image 4 is a screenshot of an admin message. November 25, 2022. Hello community! I love looking for hidden information on the Internet. Today I met the guys from the hacker group Medusa. She kindly agreed to provide me with a video overview of her activities on the example of a very cool casino located in the United States of America — Eureka casino. While I was watching the video, I saw how the Eureka casino visitors are deceived, how the slot machines are reprogrammed. After watching the video, you will understand why you don't have to go to this casino for sure! And yes, Medusa has a really cool media team – I was jealous! I reminded you that you can find much more information in my telegram channel, and I also invite you to my Twitter and Facebook. And waiting for your subscription and likes Dash this motivates, you to search for new and new content, as well as publish data in the telegram channel. Links are in the description of the channel. Enjoy watching! 734 views. 02:18 PM. Link to YouTube video. Some of the information is redacted.
Figure 4. Information support admin message.

On Feb. 20, 2023, the Telegram channel announced the release of the official Medusa leak site (or as the admin says, “a new blog of a hacker jellyfish group”). This announcement came with an image featuring the same branding as the official Medusa leak site, shown in Figure 5.

Image 5 is a screenshot of an admin message announcing the Medusa blog. Hello community. I want to introduce you to a new blog of a hacker jellyfish group. I reaccontate to visit and see: [onion link to Medusa site]. The message has one thumbs up snd one heart. February 20. 3.3k views. 06:27 AM. Some of the information is redacted.
Figure 5. Information support admin message announcing Medusa Blog site.

It’s unclear at the time of writing this article if the owner of this channel is part of the ransomware operation per se. We do know that the platform is being leveraged to announce compromises and release exfiltrated information.

Medusa’s Prey: Understanding Victimology

For our analysis, we have been focusing on Medusa ransomware samples observed in 2023.

Based on their leak site, Medusa ransomware possibly impacted 74 organizations worldwide in 2023. The sectors most affected include high technology, education and manufacturing. However, the diverse range of impacted sectors highlights this group’s opportunistic nature, which is characteristic of many ransomware operations. Medusa ransomware does not restrict itself to a single industry. Figure 6 highlights the far-ranging impact of their attacks.

Image 6 is a column graph of the industries impacted by Medusa. The highest are High Technology, Education and Manufacturing as well as Healthcare. Mid-level includes hospitality, nonprofit and agriculture. Lowest include telecoms, federal government and real estate.
Figure 6. Industries impacted by Medusa ransomware, based on the leak site.

Medusa ransomware attacks exhibit a substantial international footprint. However, the group’s effects are most pronounced in the United States, where 24 incidents occurred as of the time of writing. A substantial number of targeted organizations were based in Europe. The presence of isolated incidents across Africa, South America and Asia underscore the indiscriminate approach of this ransomware group. Attacks span a global scale even in regions with fewer reported cases. Figure 7 underlines this point.

Image 7 is a column graph of the countries impacted by Medusa. The highest is the United States followed by the United Kingdom, France and Italy.
Figure 7. Countries where impacted organizations were located, based on the leak site.

Medusa’s Toolkit: Unraveling the Mythical Trade

This section uncovers some of the tools and techniques used by Medusa ransomware actors that we discovered during an incident response event. The pre-ransomware techniques provide interesting clues to common themes across ransomware groups as well as more unique developments in tradecraft by the Medusa ransomware operators.

Initial Access

Unit 42 researchers observed Medusa ransomware operators uploading a webshell to an exploited Microsoft Exchange Server. This webshell functionality overlaps with the ASPX files previously reported for login.aspx and cmd.aspx. An example of cmd.aspx is shown below in Figure 8.

Image 8 is a screenshot of a web shell for cmd.aspx.
Figure 8. Example of the Cmd.aspx webshell.

Following the webshell activity, threat actors used PowerShell to execute a bitsadmin transfer from a file hosting site called filemail[.]com. The file downloaded from this site was ZIP compressed and titled baby.zip. Upon decompressing and executing, it installed remote monitoring and management (RMM) software ConnectWise.

Defense Evasion

Unit 42 researchers observed Medusa ransomware operators dropping two kernel drivers for targeting different sets of security products. Each kernel driver was guarded using a software protector called Safengine Shielden. The Safengine Shielden protector used on the drivers obfuscates the code flow by randomizing the code through various code mutations and then leverages an embedded virtual machine interpreter to execute the code.

Unit 42 observed each driver paired with its own loader. Each loader was packed using a packer called ASM Guard.

The packed loaders use a fake UPX header and subsequent address next to the fake UPX bytes, as shown in Figure 9. In the resource section, there are numerous references to ASM Guard as well as fake WINAPI imports among other various junk paddings, as shown in Figure 10.

Image 9 is a screenshot of the driver loader packed with ASM Guard, highlighted in yellow on the upper right.
Figure 9. Header of the driver loader is packed with ASM Guard.
Image 10 is a screenshot of the resource section of the driver loader packed with ASM Guard. Two columns side by side, both showing ASM Guard.
Figure 10. The resource section of the driver loader is packed with ASM Guard.

Figure 11 shows what the driver entry point looks like after it has been protected with Safengine Shielden.

Image 11 is a screenshot of code. The driver is protected with Safengine Sheldon v2.0.0.
Figure 11. Static view of driver protected with Safengine Shielden.

The primary objective of both drivers is to contain a list of security endpoint products to target for termination or deletion. The hard-coded list of security product string names shown in Figure 12 is used in a comparison operation against actively running processes on a system.

Image 12 is a screenshot of many lines of code. The first driver is targeting security processes to terminate them. These run through lines 51 to 86.
Figure 12. First driver targeting list of security processes for termination.

If the system has a process name that matches the hard-coded security tool process name, then an undocumented IOCTL code is used (0x222094) for termination of the process as shown in Figure 13. The primary difference between the two drivers is the use of file paths and the IOCTL (0x222184), which will delete the file based on the file path provided.

Image 13 is a screenshot of many lines of code. The second driver is targeting file paths and processes. An arrow points to line 63. Function IOCTL: 0x222184. A second arrow points to ;time 76. Function IOCTL: 0x222094.
Figure 13. Second driver targeting file paths and list of processes.

Discovery and Reconnaissance

Unit 42 researchers observed Medusa ransomware actors using the portable version of Netscan – with a novel twist. An associated netscan.xml file was paired with software that bolstered the overall functionality out of the box. This included various types of remote service discovery and preconfigured mappings for actions such as PsExec as well as the deployment of the ransomware binary.

Many options are available from the custom configuration related to the following:

  • WMI
  • Registry
  • Services
  • Files
  • SNMP
  • Account groups
  • XML
  • SSH
  • PowerShell

The remote scripting features extend the tool’s capabilities with VBScript and JScript.

The remote scripts that are included use Cyrillic script (shown in Figure 14).They are translated into English (shown in Figure 15). This provides a clue to the preferred language of the creator and users of the configuration, and possibly of the background of the Medusa ransomware group using these features.

Image 14 is a screenshot of the Remote Scripting window. Highlighted in a red box are the Item Name and Script columns. The text is in Cyrillic.
Figure 14. Remote scripting feature in original Cyrillic.
Image 15 is a screenshot of the Remote Scripting window. Highlighted in a red box are the Item Name and Script columns. The text has been translated to English. Items include list of files, login time, IP and MAC configuration and more.
Figure 15. Remote scripting feature translated to English.

Figure 16 shows an example of the codebase for the list of files script and the contents related to what the files enumerated under the Windows directory return.

Image 16 is a screenshot of a list of script files. A red arrow points to the script output.
Figure 16. Example for list of script files.

Figure 17 shows the codebase for the login time script related to specific login types found and the fields it returns.

Image 17 is a screenshot of an example login time script. Some information has been redacted.
Figure 17. Example for login time script.

Upon finishing a network scan, the operator of the tool can then right-click on a device listed in the results and will have many custom point-and-click options available on a remote system as shown below in Figure 18. The options in the menu shown in Figure 18 that end with Gaze show a naming convention used by Medusa ransomware related to the ransomware binary, and give insight into a technique for deploying Medusa ransomware.

  • Copy_Gaze (Ctrl+G)
  • Deploy Gaze (Ctrl+T)
  • Copy_Run_Gaze (Ctrl+W)
Image 18 is a screenshot of SoftPerfect Network Scanner. Highlighted in red in the Open Device menu is a secondary menu of options. Some of the text is in Cyrillic.
Figure 18. Medusa ransomware configuration.

In-Depth Look Into Medusa’s Gaze

Unit 42 observed a common theme in Medusa’s ransomware binary that aligns with the mythology of Medusa herself: the use and inclusion of the term gaze in the debug path in PEStudio, as shown in Figure 19. This theme continued with the name of the binary and the naming scheme used in the netscan.xml configuration file (mentioned previously). We will refer to the ransomware binary as Gaze in the next section.

Image 19 is a screenshot in pestudio 9.34 of the PDF string in Gaze binary, highlighted in red.
Figure 19. PDB string in Gaze binary.

The Windows variant of Medusa ransomware can be run with 11 possible arguments, as shown below in Table 1.

ArgumentPurpose
VCheck the version of the ransomware binary
nUse network drive (uses a byte flag)
sExclude system drive (uses a byte flag)
dDo not delete itself
fExclude system folder
pDo not use preprocess (uses a byte flag)
kLoad RSA public key from file
tLoad ransom note from file
wPowerShell -execution policy bypass -File %s
vShow console window
iEncrypt a specific folder

Table 1. Medusa ransomware parameters.

When running a Windows executable sample from November 2023 with the -V argument, the sample identifies as version 1.20 as shown below in Figure 20. This versioning system shows that the ransomware has some sort of development cycle, as one of the earliest public sightings of the ransomware binary was uploaded in February 2023 and is version 1.10. It is observed within SHA-256 736de79e0a2d08156bae608b2a3e63336829d59d38d61907642149a566ebd270.

Image 20 is a screenshot of the code that states the version of Medusa ransomware. Some information is redacted. The version is 1.20.
Figure 20. Ransomware sample version.

The Medusa ransomware binary employs string encryption for the following functions:

  • Targeted services
  • Targeted processes
  • File extension allowlist
  • Folder path allowlist

Figure 21 shows one code block example of the many string decryption code blocks within the binary, all of which have a similar control flow. Each string decryption code block has two functions. The first function moves the encrypted string into memory shown as u42_push_string_medusa in Figure 21. The second function is named u42_string_decrypt_7characters and uses an XOR encryption method with the key of 0x2E (also Figure 21).

Image 21 is a screenshot of the string decryption function in Gaze.exe.
Figure 21. String decryption function in the Gaze.exe ransomware sample.

In Figure 22, the hex representation for the string is moved and allocated on the functions stack frame, and then the hex string is moved into a section of memory and retrieved with a dereferenced pointer.

Image 22 is a screenshot of decompiled moving encrypted hex string 0x2E6F7D7B6A6B6300.
Figure 22. Decompiled view of moving encrypted hex string 0x2E6F7D7B6A6B6300.

When the function u42_push_string_medusa is done and returns a pointer to the string, it will initially be located in EAX as shown in Figure 21. EAX will be moved into ESI and then the contents of ESI will be moved into ECX. The register ECX is the parameter passed to the function u42_string_decrypt_7character, which contains the encrypted string pointer.

The pointer to the string contents is used as an array to access each character in the string. XOR decrypts it with the key of 0x2E as shown in Figure 23.

Image 23 is a screenshot of the decompiled string decryption function 0x2E6F7D7B6A6B6300.
Figure 23. Decompiled view of string decryption function used on 0x2E6F7D7B6A6B6300.

Validation of the string decryption method can be seen as shown in Figure 24 with a CyberChef recipe.

Image 24 is a screenshot of CyberChef. The string decryption is being verified. In the left column is the “recipe.” In the right column is the Input and Output which are highlighted in red boxes.
Figure 24. Verification of string decryption using CyberChef.

Medusa ransomware uses RSA asymmetric encryption for protecting the AES256 key used for encrypting a victim’s files. The AES256 key is set up using a 32-byte key and a 16-byte initialization vector. The encrypted files are renamed with the extension .medusa.

During file enumeration and encryption, the sample avoids files with the following extensions:

  • .dll
  • .exe
  • .lnk
  • .medusa

The list of folder paths to skip is as follows:

  • \Windows\
  • \Windows.old\
  • \PerfLogs\
  • \MSOCache\
  • G_skp_dir
  • Program Files
  • Program Files (x86)
  • ProgramData.

The ransom note is dropped as !!read_me_medusa!!.txt and its contents are shown in Figure 25.

Image 25 is a screenshot of a Medusa gang ransom note. It starts with ASCII art of MEDUSA. Then there is a description of what has happened to the network and data, a list of guarantees, who to contact and how, as well as instructions on how to use TOR. Some of the information has been redacted.
Figure 25. Medusa ransomware ransom note.

The ransomware will perform various vssadmin-related operations, and it deletes itself with the following commands to impact recovery and forensic efforts:

  • vssadmin Delete Shadows /all /quiet
  • vssadmin resize shadowstorage /for=C: /on=C: /maxsize=401MB
  • vssadmin resize shadowstorage /for=C: /on=C: /maxsize=unbounded
  • cmd /c ping localhost -n 3 > nul & del

Conclusion

The emergence of the Medusa ransomware in late 2022 and its notoriety in 2023 marks a significant development in the ransomware landscape. This operation showcases complex propagation methods, leveraging both system vulnerabilities and initial access brokers, while adeptly avoiding detection through living-off-the-land techniques.

The Medusa Blog signifies a tactical evolution toward multi-extortion, with the group employing transparent pressure tactics on victims through ransom demands publicized online. With 74 organizations across a spectrum of industries affected to date, Medusa’s indiscriminate targeting emphasizes the universal threat posed by such ransomware actors.

Technical analysis by Unit 42 researchers reveals the nuanced exploitation strategies employed by the Medusa ransomware group, from webshell placement on compromised servers to the deployment of encrypted kernel drivers. This culminates in a novel application of netscan tools and Medusa’s gaze leading to file encryption using the ominous .medusa file extension. As such, Medusa ransomware stands as a significant threat to organizations, demanding a more proactive and strong defensive strategy.

Indicators of Compromise

Hashes

4d4df87cf8d8551d836f67fbde4337863bac3ff6b5cb324675054ea023b12ab6Medusa Ransomware
657c0cce98d6e73e53b4001eeea51ed91fdcf3d47a18712b6ba9c66d59677980Medusa Ransomware
7d68da8aa78929bb467682ddb080e750ed07cd21b1ee7a9f38cf2810eeb9cb95Medusa Ransomware
9144a60ac86d4c91f7553768d9bef848acd3bd9fe3e599b7ea2024a8a3115669Medusa Ransomware
736de79e0a2d08156bae608b2a3e63336829d59d38d61907642149a566ebd270Medusa Ransomware

Infrastructure

  • Medusakxxtp3uo7vusntvubnytaph4d3amxivbggl3hnhpk2nmus34yd[.]onion
  • medusaxko7jxtrojdkxo66j7ck4q5tgktf7uqsqyfry4ebnxlcbkccyd[.]onion

Source : https://unit42.paloaltonetworks.com/medusa-ransomware-escalation-new-leak-site/

MITRE TTP :

Initial Access (TA0001):

  • Exploit Public-Facing Application (T1190): Medusa operators exploited vulnerabilities in public-facing services, such as Microsoft Exchange Server, to gain initial access.
  • Valid Accounts (T1078): The group hijacked legitimate accounts for infiltration, often utilizing initial access brokers.

Execution (TA0002):

  • Command and Scripting Interpreter: PowerShell (T1059.001): PowerShell was used to execute a bitsadmin transfer for downloading malicious files.
  • User Execution (T1204): Victims may be tricked into executing the ransomware through social engineering or other means.

Persistence (TA0003):

  • Web Shell (T1505.003): A webshell was uploaded to the exploited server for persistent access.

Privilege Escalation (TA0004):

  • Exploitation for Privilege Escalation (T1068): The group may exploit vulnerabilities to escalate privileges on the compromised system.

Defense Evasion (TA0005):

  • Obfuscated Files or Information (T1027): Kernel drivers were obfuscated using Safengine Shielden to evade detection.
  • Process Injection (T1055): The ransomware may inject malicious code into legitimate processes to evade security products.
  • Deobfuscate/Decode Files or Information (T1140): The ransomware decrypts its strings using an XOR encryption method.

Credential Access (TA0006):

  • Credentials from Web Browsers (T1555.003): Medusa ransomware may target credentials stored in web browsers for further exploitation.

Discovery (TA0007):

  • System Network Configuration Discovery (T1016): The group used tools like Netscan to discover network configurations and services.
  • Remote System Discovery (T1018): The use of Netscan also facilitated the discovery of remote systems on the network.

Lateral Movement (TA0008):

  • Remote Services: SMB/Windows Admin Shares (T1021.002): The group may use SMB for lateral movement and spreading the ransomware.

Collection (TA0009):

  • Data from Local System (T1005): Medusa ransomware encrypts files on the local system for extortion.

Command and Control (TA0011):

  • Application Layer Protocol (T1071): The group communicates with its command and control servers using protocols like HTTP/S.

Exfiltration (TA0010):

  • Exfiltration Over C2 Channel (T1041): Sensitive data is exfiltrated to the attackers’ servers for leverage in the extortion process.

Impact (TA0040):

  • Data Encrypted for Impact (T1486): Files are encrypted with the .medusa extension, rendering them inaccessible to the victims.