Some cybercriminals Associates to ransomware Jellyfish they stepped up their activities following the introduction of a dedicated data leak site on the dark web in February 2023 to publish sensitive data of victims who are not willing to accept their requests.
Why Medusa ransomware has intensified its attacks
“As part of their multi-extortion strategy, this group will provide victims with several options when their data are posted on their getaway site [di dati]such as extending time, deleting data, or downloading all data“, they have declared Palo Alto Networks Unit 42 researchers Anthony Galiette and Doel Santos in a report, adding that “All these options are priced depending on the organization affected by this group“.
Medusa (not to be confused with Medusa Locker) refers to a ransomware family that appeared in late 2022 before becoming prominent in 2023, and this ransomware family is particularly known for opportunistically targeting a wide range of industries such as high-tech, education, manufacturing, healthcare, and retail.
Up to 74 organizations, mostly in the United States, the United Kingdom, France, ItalySpain and India, are estimated to be hit by ransomware in 2023.
Ransomware attacks orchestrated by the group begin with the exploitation of resources or applications exposed on the Internet with unpatched vulnerabilities and the hijacking of legitimate accounts, often using initial access intermediaries to gain a foothold to target networks.
In one case observed by the cybersecurity firm, a Microsoft Exchange server was exploited to load a web shell, which was then used as a conduit to install and run ConnectWise remote monitoring and management (RMM) software.
A notable aspect of infections is the reliance on “living-off-the-land” (LotL) techniques to mix with legitimate activity and avoid detection and the use of a pair of drivers has also been observed kernel to end a coded list of security products.
The initial access phase is followed by discovery and reconnaissance of the compromised network, with the actors finally launching ransomware to enumerate and encrypt all files except those with the .dll, .exe, .lnk, and .medusa extensions (the extension given to encrypted files); although this means that it mainly attacks the Windows environment given the types of files, it cannot be ruled out that in the future they will not be able to update it to make it compatible with macOS or GNU/Linux operating systems.
For each compromised victim, the Medusa leak site displays information about the organizationsthe ransom demanded, the time left before the stolen data is released publicly, and the number of views in an attempt to put pressure on the company.
The perpetrators also offer different choices to the victim, all involving a form of extortion to eliminate or download the stolen data and seek an extension of time to avoid publishing the data.
With ransomware continuing to pose a widespread threat, targeting tech companies, healthcare, critical infrastructure and everything in between, the threat actors behind it are becoming bolder in their tactics, going beyond publicly posting names and imprecations to organizations, using threats of physical violence and even to channels dedicated to public relations.
“Ransomware has changed many facets of the threat landscape, but a key recent development is its increasing commercialization and professionalization“, they have declared Sophos researchers last month, calling the ransomware gangs “increasingly skilled in the media“.
Medusa, according to Unit 42, not only has a media team to likely manage their branding efforts, but also leverages a public Telegram channel called “information support,” where files from compromised organizations are shared and can be accessed via the clearnet. The channel was established in July 2021.
“The emergence of Medusa ransomware in late 2022 and its notoriety in 2023 represents a significant development in the ransomware landscape“said the researchers. “This operation shows complex propagation methodologies, exploiting both system vulnerabilities and initial access intermediaries, cleverly avoiding detection through 'living-off-the-land' techniques.“
The development comes as Arctic Wolf Labs has made public two cases of victims of the Akira and Royal ransomware gangs were targeted by malicious third parties posing as security researchers for secondary extortion attempts.
“Cybercriminals have woven a narrative trying to help victim organizations, offering to infiltrate the server infrastructure of the original ransomware groups involved to delete exfiltrated data“, they have declared security researchers Stefan Hostetler and Steven Campbell, noting that the threat actors were demanding around 5 bitcoins in exchange for the service.
It also follows a new warning from the Finnish National Cyber Security Center (NCSC-FI) rega
rding an increase in Akira ransomware incidents in the country towards the end of 2023, exploiting a security flaw in Cisco VPN devices (CVE-2023-20269CVSS score: 5.0) to hack home entities.
#Medusa #famous #ransomware #returns #aggressive