In a world where every moment a new innovative technology is coming into existence, there are also cyber criminals who are manufacturing ransomware by the minute. And the Medusa Ransomware is one such malicious malware that gained a lot of notoriety.
Medusa ransomware is a relatively new ransomware family that was first observed in June 2021. In March 2023, it attacked the Minneapolis School District where the gang allegedly demanded $1 million. It also attacked Gujarat Mineral Development Corporation (GMDC) and demanded $500,000. More recently, it attacked PhilHealth.
As of now, Medusa is an active threat that targets major corporations.
What makes Medusa dangerous?
Medusa is classified as ransomware, a malicious software that encrypts and locks a victim’s files, subsequently demanding a ransom payment in exchange for a decryption key. It is a human-operated ransomware, meaning that it is deployed and operated by human attackers, rather than being distributed automatically. Medusa ransomware is known for its targeted attacks against high-profile organizations. It appears to be a variant of Ransomware as a Service (RaaS), where affiliates utilize their ransom notes and file extensions. Despite these variations, all Medusa attacks share a common modus operandi for compromising networks and encrypting data.
Medusa ransomware is typically spread through phishing emails or malicious attachments. Apart from phishing emails, it can also spread through Torrent websites that contain infected files, external remote services or malicious advertisements.
Once it is installed on a victim’s computer, it begins to encrypt files, making them inaccessible to the user. Medusa ransomware encrypts files using a strong encryption algorithm, and the only way to decrypt them is to obtain the decryption key from the attackers. The attackers typically demand a ransom payment in exchange for the decryption key.
Medusa ransomware is a dangerous threat because it can cause significant disruption to businesses and organizations. When files are encrypted by Medusa ransomware, employees cannot access them, which can lead to lost productivity and revenue. Additionally, businesses and organizations may be forced to pay the ransom demand in order to regain access to their files.
Currently, there are no publicly available decryption key for Medusa.
How to recognize the Medusa Ransomware?
The files encrypted by the Medusa Ransomware will contain ‘.Medusa’ in it or the ransomware message will contain ‘ !!!READ_ME_MEDUSA!!!.txt’.
How does the Medusa Ransomware work?
Medusa ransomware compromises business networks by identifying vulnerabilities, notably unsecured Remote Desktop Protocol (RDP). Subsequently, it encrypts data and demands a ransom in exchange for the decryption key. As said earlier, phishing is also used to gain access to organizational networks and encrypt data. It utilizes PowerShell for executing commands and scripts. It also erases shadow copy backups and other system backups, preventing victims from restoring their files.
The malware employs Microsoft Connection Manager Profile Installer, a Windows built-in tool, to run commands with elevated privileges. During this stage, Medusa deactivates defensive software, such as antivirus and antimalware programs, and can boot in Safe Mode to hinder endpoint defenses. Subsequently, Medusa uses remote services to compromise other computers and devices within the network, further spreading the ransomware payload.
The final phase involves data encryption and the obstruction of system recovery. At this point, all files receive a new file extension, and the ransom note appears on the desktop.
How to prevent an attack by Medusa Ransomware?
There are several strategies that can help prevent Medusa ransomware attacks:
- Use strong passwords and implement multi-factor authentication: Employ robust, unique passwords for each account, and consider multi-factor authentication for added security.
- Remove outdated and unused user accounts: Inactive accounts can be exploited by hackers. Deactivate or close unused accounts, especially those associated with former employees. Implement the principle of least privilege for access control.
- Keep software updated: Regularly update software to patch vulnerabilities and protect against new threats like Medusa.
- Schedule regular backups: Maintain multiple copies of your data, including offline and off-site backups, to safeguard against disasters and ransomware attacks.
- Employ a cybersecurity solution: Consider either an in-house IT team or a cybersecurity service to identify and address network vulnerabilities.
- Develop a recovery plan: Create a data recovery plan to guide your actions in the event of a cyber incident.
What must you do following a Medusa Ransomware attack?
If you discover an attack has taken place, follow these steps.
- Isolate the compromised computer: Disconnect the affected device from the internet and remove connected devices.
- Contact local authorities: Report the attack to the appropriate law enforcement agencies, such as the local FBI field office and the Internet Crime Complaint Centre (IC3).
- Gather evidence: Collect information about the attack, including screenshots of the ransom note, communications with the ransomware actors, and samples of encrypted files. Do not delete any evidence.
- Identify the ransomware variant: Determine the specific ransomware variant used in the attack, as this information may help in finding a decryption key (though Medusa does not have a public decryption key).
- Remove the ransomware and vulnerabilities: Ensure the device is free from ransomware and vulnerabilities to prevent further attacks. Consider professional ransomware removal services.
- Restore data from backups: Use backups to recover data.
- Consider ransomware recovery services: If you lack backups or require assistance in removing the ransomware and vulnerabilities, consider contacting ransomware recovery services. Avoid paying the ransom, as it does not guarantee data retrieval.
Prevention is better than cure. And this applies to all kinds of ransomware. Since Medusa targets big businesses, it is essential to make sure all employees are made aware of the threat and trained on proper cyber hygiene.