The Medusa ransomware gang is a ransomware-as-a-service (RaaS) operation first identified in June 2021. Since then, it has targeted over 300 victims across various critical infrastructure sectors, including medical, education, legal, insurance, technology, and manufacturing.
Medusa – not connected to MedusaLocker ransomware, which emerged in 2019 – initially began as a closed ransomware operation. While Medusa has since progressed to using an affiliate model, important operations such as ransom negotiation are still centrally controlled by the developers, and this group typically uses initial access brokers on Dark Web forums to obtain entry into victims’ environments. During the attacks, Medusa actors use a wide range of legitimate software to move laterally, including remote access tools, users, systems and networks.
To add insult to injury, Medusa operates a data-leak site where they list victims and set countdowns for data release. Victims can delay this countdown by paying $10,000 in cryptocurrency per day. In a notable escalation, indicating a triple extortion, a victim reported that after they paid the ransom, a different Medusa affiliate contacted them, claiming the initial negotiator had absconded with the payment. This affiliate then demanded an additional payment for the true decryption key.
Medusa actors typically execute living off the land (LOTL) techniques, or attacks, to evade detection, meaning they exploit built-in utilities rather than deploying traditional malware. This can mean using native tools like PowerShell (a scripting language commonly used to automate system management tasks in Windows environments).
A key component of some attacks is applying vulnerable or signed drivers in what is known as “bring your own vulnerable driver” or BYOVD attacks. Windows allows the installation of these drivers because they’re signed (i.e., verified) and thus allow elevated access to the attackers. Medusa threat actors use BYOVD to kill and even delete endpoint detection and response products. Within the last few years, we have seen the BYOVD technique used more frequently, specifically for Medusa attacks. These threat actors will use KillAV (malware that disables or “kills” antivirus software) and associated vulnerable drivers as part of the attack chain to cripple security defenses and gain persistent access to compromised systems.
In addition to patching systems promptly, implementing network segmentation, and deploying multifactor authentication (MFA), there are several recommendations to mitigate the threat of Medusa ransomware, including disabling command-line and scripting activities and permissions to limit LOTL techniques. Privilege escalation and lateral movement – access to additional systems within a network and higher system privileges – often depend on software utilities running from the command line. Cyber and information technology (IT) teams must use techniques to make that as difficult as possible for the threat actors. Limiting their ability to execute commands and deploy software utilities will limit their ability to gain higher access and/or expanded control.
