A fast rising ransomware outfit is escalating its activities and has launched a new blog offering victims a variety of payoff options, according to a report released Thursday by Palo Alto Networks’ Unit 42. The new Medusa Blog is used by the group to post stolen data with the threat of exposing the data if a victim doesn’t comply with the group’s ransom demands.
At the onion site, which can be accessed via the Tor network, a victim can see a “countdown” to the time their data is made public and available to download, a price tag for deleting the data, and the price of a time extensionâUS$10,000âfor delaying exposure of the data to the public.
In addition to the Medusa Blog, the group has established a public Telegram channel named “information support,” which is more accessible than traditional Dark Web onion sites, for exposing files pilfered from compromised organizations.
“In the last year weâve seen a significant number of high severity, internet accessible vulnerabilities that provided a notable opportunity for ransomware groups to exploit,” says Anthony Galiette, Sr., a reverse engineer with Unit 42. “We believe these critical vulnerabilities have contributed to Medusaâs increase in activity in recent months.
Medusa group has no code of ethics.
There may be another reason for Medusaâs increased activity. âMedusa has been very successful lately and notably they are a group that tends to focus specifically on the healthcare sector,â notes Darren Williams, CEO and founder of BlackFog, an endpoint security company. âThis could be a contributing factor to their success as the healthcare sector is both rich with data but poor in terms of cybersecurity practices and investments with older legacy hardware and software.â
Doel Santos, a principal threat researcher at Unit 42, points out some distinctive aspects about the Medusa gang. âWhile technical capabilities vary between ransomware groups, Medusa is one of the few we have observed using tools such as NetScan for staging and deploying ransomware.â
He added that the group doesnât have a code of ethics, as some groups claim to have. âThroughout 2023, we saw the group compromise multiple school districts and publish highly sensitive information about students,â Santos says.
Medusa uses initial access brokers for network access
Other distinctions include Medusa having its own media and branding team, focusing on exploiting internet-facing vulnerabilities, and using initial access brokers (IABs) to gain access to systems. âInitial access brokers provide threat actors with valet access to the front door of an organization,â Galiette explains. âWhile thereâs a cost associated with it, leveraging these groups has proven very lucrative in the past.â
âOverall,â Galiette adds, âweâre seeing the more active or advanced ransomware groups leverage initial access brokers. The smaller or emerging ransomware groups donât necessarily have the capital to leverage IABs in the same way.â
The group is also into double ransoms. âThe use of a double ransom is notable for Medusa, where they leverage one ransom to decrypt the encrypted parts of an environment and a separate extortion demand to prevent leaking stolen data from their victims onto the larger internet,â says Steve Stone, head of Rubrik Zero Labs, the cybersecurity research unit of Rubrik, a global data security and backup software company.
Indiscriminate targeting a universal threat posed by ransomware actors
The emergence of the Medusa ransomware in late 2022 and its notoriety in 2023 marks a significant development in the ransomware landscape, the Unit 42 report noted. This operation showcases complex propagation methods, leveraging both system vulnerabilities and initial access brokers, while adeptly avoiding detection through living-off-the-land techniques.
The Medusa Blog signifies a tactical evolution toward multi-extortion, with the group employing transparent pressure tactics on victims through ransom demands publicized online, it continued. With 74 organizations across a spectrum of industries affected to date, Medusa’s indiscriminate targeting emphasizes the universal threat posed by such ransomware actors.
âAs we can see from the statistics, the problem is not only getting worse, it is accelerating at a pace organizations cannot keep up with,â adds Williams. âWe also need to recognize that the AI revolution is playing a part in this trend, as we are now seeing threat actors train their systems on vulnerabilities, products, and people. While cybersecurity companies are also using AI for prevention, it is a game of cat and mouse right now and organizations are not adopting these new technologies fast enough, or at all, to provide adequate protection.â