Javiertech

By

javiertech

·

Tags:

¡Cuidado! Medusa Ransomware Explained: What You Need to Know

You hear about this Medusa ransomware? Ay, Dios mío, this one is giving headaches everywhere. I read this big report, very technical, from the smart people, and I want explain it for you, simple but serious.

Medusa Ransomware: Not the Old One, This One is Different!

First thing, okay? This Medusa ransomware, we start seeing it around June 2021. Is not the same as MedusaLocker from 2019, or some phone virus. No, no. FBI, CISA, the big agencies, they say this Medusa is new, different TTPs – you know, Tactics, Techniques, and Procedures.

This Medusa is growing fast, like mala hierba (bad weed). Why? Because it uses a Ransomware-as-a-Service (RaaS) model. Think like this: some smart bad guys make the ransomware weapon (the encryptor, the website for payment). Then, they rent this weapon to other bad guys, the “affiliates”. These affiliates do the dirty work – break into your network, deploy the ransomware. The creators, they handle the money talk, the negotiation. Is like a franchise, but for crime!

This model makes it easy for more criminales to do ransomware attacks, even if they not super technical. Medusa pays affiliates good money, sometimes up to $1 million, so many want to join. They even look for Initial Access Brokers (IABs) – people who just break in and sell the access. Easy job for the affiliate, just deploy the poison.

And Medusa is getting busy! Especially now, maybe because police took down other big groups like LockBit. Medusa is like, “Okay, is our turn now!” CISA says attacks maybe doubled early this year (2025). They are hitting many places, over 300, maybe 400 organizations! Is serious problem.

Who Does Medusa Like to Attack? (Victimology)

Medusa is not random. They like specific targets, places where it hurts more.

  • Industries: They go after Critical Infrastructure. Think hospitals (healthcare), schools (education), factories (manufacturing), technology companies, even lawyers and insurance. Why? Because these places cannot stop working. Imagine hospital systems down? Or school data stolen? These places feel big pressure to pay ransom fast to get back online and protect información sensible like PII or PHI.
  • Location: Medusa attacks are global, many countries. But they really like the United States – maybe half of the victims are there! Also UK, Canada, Germany, Australia. They even advertise looking for access in these specific countries. But, funny thing, they seem to avoid Russia and CIS countries. Hmm, maybe tells you something where the jefes (bosses) might be living, eh?
  • Size: Big companies, small companies, government – Medusa doesn’t care too much about size. Big targets like Toyota Financial Services, Minneapolis Public Schools, PhilHealth in Philippines. But also smaller ones. If you are in the right industry and location, and they can get in, ¡cuidado! (be careful!). Is opportunistic.

How Medusa Gets In and Does Its Damage (The Attack Lifecycle)

Okay, now the technical part. How they do it? They follow steps, like a recipe for disaster. Is aligned with MITRE ATT&CK framework, if you know that.

  1. Initial Access (Getting a Foot In):
    • Exploiting Vulnerabilities: This is big one. They find weaknesses in software facing the internet, things not patched. Like CVE-2024-1709 (ScreenConnect), CVE-2023-48788 (Fortinet), maybe old Exchange problems (ProxyShell). Patch your systems, people!
    • Phishing: Sending tricky emails to steal passwords or make you run malware. Classic, but still works.
    • RDP: Using stolen Remote Desktop passwords, maybe bought from IABs.
  2. Execution (Running the Bad Code):
    • Living off the Land (LotL): This is muy importante. Medusa loves using tools already on your Windows computer! PowerShell, WMI, cmd.exe, PsExec, Certutil, Task Scheduler. They use these normal tools to do bad things: look around, move files, run the ransomware (gaze.exe). Why? Because it looks like normal activity! Harder to detect.
    • Hijacking IT Tools: Sometimes they use legitimate tools like PDQ Deploy or RMM software (ConnectWise, AnyDesk) to spread the ransomware. Sneaky!
  3. Persistence (Staying Inside):
    • They create new accounts, maybe admin accounts.
    • They put things in Registry Run keys or make Scheduled Tasks so the malware runs again even if you reboot.
  4. Privilege Escalation (Getting More Power):
    • They try to bypass UAC (User Account Control).
    • They use stolen passwords (maybe dumped from LSASS using Mimikatz) to become Administrator.
  5. Defense Evasion (Hiding from Security):
    • LotL: Like I said, using normal tools is great for hiding.
    • Obfuscation: They hide their PowerShell scripts using Base64 encoding, compression, maybe packers. Make it hard to read.
    • Disabling Security: They try to turn off your antivirus (EDR, Microsoft Defender, Sophos mentioned). How? Sometimes with batch scripts, sometimes with…
    • Bring Your Own Vulnerable Driver (BYOVD): This is clever but malo. They install an old, signed driver that has a known vulnerability. Because it’s signed, Windows trusts it. Then they exploit the vulnerability in this driver to get kernel power and kill security software! Drivers like KillAV, POORTRY, smuol.sys, zrapb.sys seen.
    • Cleaning Up: They delete logs, clear PowerShell history, maybe self-delete the ransomware file (gaze.exe) after running.
    • Safe Mode: Sometimes they reboot computer into Safe Mode to run the encryption, because many security tools don’t work well there.
  6. Credential Access (Stealing Passwords):
    • Mimikatz: Very common tool to dump passwords from memory (LSASS).
    • Brute Force: Trying many passwords on RDP, etc.
  7. Discovery (Looking Around):
    • They use tools like ipconfig, netstat, net share, systeminfo, and network scanners (Advanced IP Scanner, SoftPerfect) to map your network, find computers, find shared folders with important data.
  8. Lateral Movement (Spreading):
    • Using stolen credentials with RDP or PsExec to jump from one computer to another.
    • Using RMM tools (AnyDesk, ConnectWise, etc.) already on the network.
  9. Collection & Exfiltration (Stealing Data):
    • Before encrypting, they steal your important files. Why? For double extortion.
  10. Command and Control (Talking to Bosses):
    • They use standard web traffic (HTTPS, port 443) to communicate back to their servers, hiding in normal network noise.
    • They download more tools using PowerShell, Certutil, BITSAdmin.

Double (Maybe Triple?) Extortion: Paying is Not Simple

Medusa doesn’t just encrypt your files (using strong encryption like AES−256). No, that’s old style. They do double extortion:

  1. Encrypt your files and demand ransom to get the key.
  2. Threaten to publish the data they stole on their leak site (the “Medusa Blog”) if you don’t pay.

Some reports even say maybe they try triple extortion – maybe adding DDoS attacks or contacting your customers/partners directly. Qué descaro! (What nerve!)

How to Protect? (Mitigation)

Okay, is scary, I know. But you can fight back. No magic solution, need many layers, like cebolla (onion).

  • Patching: Keep systems updated! Especially internet-facing ones (VPNs, RDP, Exchange). Fix those CVEs they exploit.
  • Access Control: Use strong, unique passwords. Use Multi-Factor Authentication (MFA) everywhere possible! Limit admin privileges.
  • Network Segmentation: Don’t let attackers move easily. Separate critical systems.
  • Endpoint Security: Good Antivirus/EDR that can detect suspicious behavior (like LotL abuse).
  • Backups: Have offline, immutable backups. Test restoring them! Is your lifeline if you get hit.
  • User Training: Teach users about phishing emails. Don’t click strange links or attachments!
  • Disable Unused Tools: If you don’t need PowerShell on some machines, restrict it. Limit RDP access.

Conclusion: Stay Vigilant, Amigos!

Medusa ransomware is a big threat, de verdad. They are organized, use smart techniques like LotL and BYOVD, and target critical places to make maximum pressure. They are growing because the RaaS model works and maybe because other groups are gone.

You need a strong defense. Patching, MFA, backups, EDR, training – do the basics right. Understand their tactics. Don’t make it easy for them. Stay safe out there, mi gente!

CISA Cybersecurity Advisory: https://www.cisa.gov/news-events/cybersecurity-advisories/aa25-071a

Leave a comment