FOCUS MODE
EXTRACT IOC
Threat Research

Response to CISA Advisory (AA25-071A): #StopRansomware: Medusa Ransomware

AttackIQ
Response to CISA Advisory (AA25-071A): #StopRansomware: Medusa Ransomware
This article discusses a cybersecurity advisory released on March 12, 2025, by the FBI, CISA, and MS-ISAC regarding the Medusa ransomware, detailing its methods, impacts, and tactics used. Medusa is a Ransomware-as-a-Service operation that targets Windows environments and has affected over 300 victims. The advisory provides insights into its tactics, techniques, and procedures (TTPs) to help organizations bolster their security measures. Affected: Medusa ransomware, Windows-based environments, multiple industries.

Keypoints :

  • On March 12, 2025, a Cybersecurity Advisory was issued regarding Medusa ransomware.
  • Medusa ransomware has been active since June 2021, targeting Windows environments.
  • The ransomware has affected over 300 victims across various industries.
  • Medusa employs Living-off-the-Land (LotL) techniques to evade detection.
  • Collaboration with Initial Access Brokers (IABs) is a common practice among Medusa operators.
  • The advisory includes TTPs used by Medusa to improve cybersecurity defenses.
  • AttackIQ released an assessment template to help organizations test their defenses against Medusa’s behaviors.
  • CISA’s recommendations were highlighted for patching and detection.

MITRE Techniques :

  • Execution: Command and Scripting Interpreter: PowerShell (T1059.001): Encodes and executes PowerShell commands using base64 with specific parameters.
  • Persistence: Create Account: Local Account (T1136.001): Creates a new system user using the net user command.
  • Persistence: Scheduled Task/Job: Scheduled Task (T1053.005): Creates a scheduled task for persistence with schtasks utility.
  • Defense Evasion: Modify Registry (T1112): Enables Restricted Admin setting by modifying the registry key.
  • Defense Evasion: Disable or Modify Tools (T1562.001): Modifies the registry to enable Remote Desktop connections.
  • Defense Evasion: Disable or Modify System Firewall (T1562.004): Creates firewall rules to allow remote access.
  • Credential Access: OS Credential Dumping: LSASS Memory (T1003.001): Dumps LSASS process memory using Mimikatz.
  • Discovery: System Network Configuration Discovery (T1016): Retrieves information about network adapters using ipconfig command.
  • Lateral Movement: Remote Services: Remote Desktop Protocol (T1021.001): Uses RDP for lateral movement within the network.
  • Impact: Inhibit System Recovery (T1490): Deletes Volume Shadow Copies using vssadmin utility.
  • Impact: Data Encrypted for Impact (T1486): Encrypts files during a ransomware attack.

Indicator of Compromise :

  • [URL] http://malicious[.]com/path
  • [URL] https://example[.]com
  • [Domain] malicious[.]com
  • [Email] attacker@example[.]com
  • [Hash] 5d41402abc4b2a76b9719d911017c592

Full Story: https://www.attackiq.com/2025/03/13/cisa-advisory-aa25-071a/

Tags: DISCOVERY, LATERAL MOVEMENT, PERSISTENCE, VULNERABILITY, DEFENSE EVASION, TOOL, ACTIVE DIRECTORY, FIREWALL