In 2023, a ransomware operation by the name of Medusa began to gain momentum. It targets corporate targets globally and demands a million-dollar ransom.
Starting in June 2021, the Medusa operation saw just a small number of victims and a low level of activity. However, the ransomware gang ramped up its operations in 2023 and established a "Medusa Blog" that allowed victims who declined to pay a ransom to have their data released.
Last week, Medusa came under public scrutiny after claiming responsibility for an attack on the Minneapolis Public Schools (MPS) district and sharing a video of the data that was taken.
Will the genuine Medusa rise up?
Medusa is the name of several malware families, including the well-known MedusaLocker ransomware operation, an Android malware family, and a Mirai-based botnet with ransomware capabilities.
Owing to the family's popularly used name, there has been some ambiguous information about it, leading many people to believe it is the same as MedusaLocker.
Yet, there are significant operational differences between the Medusa and MedusaLocker malware.
The MedusaLocker operation debuted in 2019 as a Ransomware-as-a-Service, with a large number of affiliates, a ransom note typically called How_to_back_files.html, and a wide range of file extensions for encrypted files.
For negotiation, the MedusaLocker operation uses a Tor website at qd7pcafncosqfqu3ha6fcx4h6sr7tzwagzpcdcnytiw3b6varaeqv5yd.onion.
However, the.MEDUSA static encrypted file extension and the !!!READ_ME_MEDUSA!!!.txt ransom notes have been used by the Medusa ransomware operation since its launch in June 2021.
Using Windows devices to encrypt data
Currently, it is unknown if BleepingComputer has a Medusa encryption programme for Linux; they have only been able to analyse the Windows version.
The Windows encryptor will accept command-line arguments that let a threat actor control the encryption settings for files on the system.
For instance, the ransomware will display a console and display status messages as it encrypts a device if the -v command line argument is used.
The Medusa ransomware terminates over 280 Windows services and processes for programmes that might stop files from being encrypted on a regular basis, without command line parameters. Windows services for database servers, backup servers, and security applications are among them.
Then, in order to impede file recovery, the ransomware will erase Windows Shadow Volume Copies.
Michael Gillespie, a ransomware expert, examined the encryptor as well and revealed to BleepingComputer that it encrypts files using AES-256 + RSA-2048 encryption with the BCrypt library.
Like the majority of ransomware operations that target businesses, Medusa features a website called "Medusa Blog" that leaks data. The usage of this website is a part of the gang's double-extortion scheme, in which victims who decline to pay a ransom are given access to their data.
A victim's data is not instantly made public when they are joined to the data leak. As an alternative, the threat actors offer the victims payment choices to delay the release of data, erase the data, or download the entire set of data. The cost of each of these choices varies.
The ransom is demanded to increase the victim's stress and frighten them into paying a ransom. Regrettably, there are no documented flaws in the Medusa Ransomware encryption that allow victims to recover their files without paying.
