Research team Unit 42 has released a new research report on the Medusa ransomware gang, revealing the threat actors' tactics, tools and procedures.
Unit 42 noted an escalation in Medusa ransomware operations and a shift in tactics toward extortion, marked by the launch of a dedicated leak site (DLS) called Medusa Blog in early 2023. Medusa threat actors use this website to publish sensitive data of victims who are unwilling to meet their ransom demands. As part of their multi-extortion strategy, this group offers victims multiple options when their data is published on the leak site, such as time extension, data deletion or downloading all data. All of these options come at a price depending on which organization is affected by this group.
In addition to their strategy of using an onion site for extortion, Medusa threat actors also deploy a public Telegram channel called “Information Support,” where files from compromised organizations are publicly shared and are more easily accessible than on traditional onion sites.
Insights into Medusa ransomware
- Introducing the new Medusa blog, accessible via TOR and released in early 2023 to expose sensitive data of victims who are unwilling to respond to their ransom demands.
- The operators offer the victims multiple options for paying the ransom if their data is published to their DLS. For example, a standard fee for a time extension to prevent data from being published on their blog is $10.000.
- Medusa is opportunistic and targets a wide range of industries including technology, education, manufacturing and healthcare. In 2023, 74 organizations worldwide were affected.
- The group spreads its ransomware primarily by exploiting vulnerable services or publicly accessible assets or applications with known unpatched vulnerabilities and hijacking legitimate accounts, often using initial access intermediaries for infiltration.
- The group uses a public Telegram channel called “Information Support,” which shares files from compromised organizations and is more accessible than traditional onion sites.
About Palo Alto Networks Palo Alto Networks, the global leader in cybersecurity solutions, is shaping the cloud-based future with technologies that transform the way people and businesses work. Our mission is to be the preferred cybersecurity partner and protect our digital way of life. We help you address the world's biggest security challenges with continuous innovation leveraging the latest breakthroughs in artificial intelligence, analytics, automation, and orchestration. By delivering an integrated platform and empowering a growing ecosystem of partners, we are the leaders in protecting tens of thousands of businesses across clouds, networks and mobile devices. Our vision is a world where every day is safer than the one before.