MEDUSA RANSOMWARE: SETTING STRONG FOOTHOLD

NOTE: Not to be confused with Medusa Locker Ransomware or Medusa Stealer as they differ from this Ransomware variant. Many reports had clubbed all these together, a Wrong Attribution Method.

If you want to read a dedicated article on MedusaLocker, you may find it here.

Medusa on Throne (Greek Mythology) | Credit: Self-Generated Image

Here is a short glimpse of the topics covered in this Article:-

1. INTRODUCTION
2. VICTIMOLOGY
3. INFECTION CYCLE
4. RANSOMWARE INTERNALS
5. DARKWEB DATA LEAK SITE ANALYSIS
6. MEDUSA PARTNERING WITH OSINTCORP
7. INFRASTRUCTURE HUNTING 
8. IOC

INTRODUCTION

Medusa Ransomware came into the limelight in June 2023 when a high activity is being detected; though the group formed in 2021.

Medusa Data Leak Site Homepage

The title of the Ransom Note is !!!READ_ME_MEDUSA!!!.txt. The infected files are encrypted and append an extension .MEDUSA to its filenames. The contact emails found in their ransom note are:-

medusa.serviceteam@protonmail.com
medusa.support@onionmail.org

VICTIMOLOGY

At this time of writing, Medusa had victimized about 255 targets in their data leak site on the Dark Web (ATTOW).

Out of these 138 are from the US, 22 from Canada, and 21 from the UK.

The list of other countries infected by Medusa are:-

Argentina
Colombia
Germany
Spain
Brazil
Chile
Egypt
Indonesia
Mexico
Morocco
Portugal
South Africa
Switzerland
United Arab Emirates
Belgium
Bolivia
Cyprus
Czechia
Dominican Republic
Estonia
Iran
Kenya
Peru
Netherlands
NewZealand
Pakistan
Philippines
Serbia
Singapore
Slovakia
Sweden
Thailand
Tonga
Venezuela

NOTE: The earliest victim list toppers were the US, UK, France, Italy, Spain, and India; which dates back to late 2023. Now, the list comprises English-speaking Nations like Canada and Australia.

When it comes to the industry, we can see the following output:-

From this, it is evident that the group is more focused on targeting Manufacturing, Services, Education, Finance, and Healthcare Sectors.

The least targeted industries (which are not included in the graph) are:

RETAIL
LUXURY GOODS
ELECTRONICS
CHEMICAL 
ARCHITECTURE

NOTE: This doesn’t mean the group won’t focus on the above-mentioned sectors as weaknesses in any sector welcome Medusa Group.

From the victim list, it is notable that the group does NOT infect CIS Countries which comprise:

Belarus🇧🇾
Kazakhstan🇰🇿
Kyrgyzstan🇰🇬
Russia🇷🇺
Tajikistan🇹🇯

This can further be confirmed as I had a direct line of contact with Medusa Group:-

Chat Transcript with Medusa Group

From the above transcript, it can be found that the group is modeling it as RaaS (Ransomware-as-a-Service) business model and invite to participate in their program without infecting/targeting CIS Countries.

INFECTION CYCLE

Medusa Ransomware is being delivered via common techniques such as Phishing. Analyzing the attack matrix, it is found that this group specialized in exploiting well-known Exploits that are popular and yearn for easy targets.

Some of the vulnerabilities exploited are:-

📌CVE-2023-48788: SQL Injection Vulnerability in FortiClient Enterprise 
Management Server
📌CVE-2023-4966: CitrixBleed (August to October 2023)
📌WEBSHELL TO MICROSOFT EXCHANGE SERVER

As the group became predominant in 2023, it is vital to note the CVEs available in late 2023 and 2024.

NOTE: The above-mentioned CVEs are confirmed to be exploited by Medusa Group from various security incident reports. The CVEs which date back to 2022 are used by MedusaLocker, which is different from Medusa Ransomware Group.

RANSOMWARE INTERNALS

This is not a detailed dig up into the Medusa Ransomware Codebase. But highlighting the internals to get a gist:-

INTERNALS
=========
1. Coded in Visual C++, targeting the Windows platform
2. Some of the Medusa Samples date back to 2021 (but again NOT to get confused
   with MedusaLocker).
3. Executes Powershell Commands
4. Created/Modified processes: net.exe, net1.exe, taskkill.exe, vssadmin.exe, 
   vssvc.exe
5. One of the samples is directly taken from Ryuk Ransomware
6. Upon infection, the following processes are terminated:-

➵SQLsafe Backup Service
➵SQLsafe Filter Service
➵Symantec System Recovery
➵Sophos Web Control Service
➵Sophos System Protection Service
➵Sophos Safestore Service
➵Sophos Message Router
➵Sophos MCS Client
➵Sophos MCS Agent
➵Sophos Health Service
➵Sophos File Scanner Service
➵Sophos Device Control Service
➵Sophos Clean Service
➵Sophos AutoUpdate Service
➵Sophos Agent
➵Acronis VSS Provider
➵Veeam Backup Catalog Data Service
➵Acronis Scheduler (AcrSch2Svc)
➵BackupExecAgentAccelerator
➵ARSM

7. Using PowerShell to execute BitsAdminServer
8. Tools used after infiltration are: 

➵ConnectWise: RMM
➵Safengine Shielden: Code Obfuscation
➵ASMGuard: Compressing Code
➵NetScan: Network Scanning

9. Using Cyrillic Script for Remote Scripts

https://analyze.intezer.com/analyses/7b3f14d5-3999-4ee1-92ec-653cd20cf8e9/sub/ebd5531f-a559-4842-ad0e-e3058dbd6cca/string-reuse

Upon analyzing the executed/created process list, it is found that the group had made use of the following processes that are commonly used by other threat actors during a Ransomware Attack Cycle.

1. net.exe and net1.exe are majorly abused by the following Ransomware Groups:-

BlackCat
Royal
LostTrust
Ryuk

Net1.exe allows users to perform tasks such as adding or removing network 
users, changing user passwords, and mapping network drives.

2. taskkill.exe: Ransomware groups such as Mallox, Royal, WannaCry, Luna, DoNex, BlackByte, Kuiper, HelloKitty, Cl0p, Rorschach, Maze use it to forcefully terminate a process.

3. Processes like Vssadmin.exe or vsssvc.exe are used by all the ransomware groups to delete any backups of the files so that the user can’t restore the files.

NOTE: From the above process list, it is evident that Medusa Group primarily focused on disabling the SOPHOS tool; as it’s one of the most widely implemented security tools across the globe.

DARKWEB DATA LEAK SITE ANALYSIS

Medusa maintains 2 TOR Websites (DarkWeb), one for Negotiation and the other as DLS. They are:-

medusacegu2ufmc3kx2kkqicrlcxdettsjcenhjena6uannk5f4ffuyd.onion
medusaxko7jxtrojdkxo66j7ck4q5tgktf7uqsqyfry4ebnxlcbkccyd.onion

But the Data Leak Sites are not ONLINE all the time. Due to this instability; Medusa Group introduced another 4 TOR Domains for Data Leak Site (DLS) on March 21, 2024:-

s7lmmhlt3iwnwirxvgjidl6omcblvw2rg75txjfduy73kx5brlmiulad.onion
cx5u7zxbvrfyoj6ughw76oa264ucuuizmmzypwum6ear7pct4yc723qd.onion
hupxs7ps7md24kpz4lwsbra64abgxjx3pcc2wuca5ibawf2g5hlpfyqd.onion
kyfiw76eol6ph2mq7pi5e5tdvce37bicddhai62qhdc5ja6jdchz4qqd.onion

One of the oldest Data Leak Sites of Medusa can be traced to this TOR domain which has been active since February 2023:-

xfv4jzckytb4g3ckwemcny3ihv4i5p4lqzdpi624cxisu35my5fwi5qd.onion

Here, it is also important to note that this domain is still accessible and the rest of them no longer exists.

Observing further, it is found that other DLS were running on nginx/1.18.0 (Ubuntu) whereas the currently working DLS is running on Apache/2.4.52 (Ubuntu). From this, it can be assumed that the group had shifted their infrastructure from Nginx to Apache servers.

On checking the Data Leak Site, a few pointers are noted:-

1. Bootstrap is used for the Web Applications

2. Chameleon Admin: This is a Modern Bootstrap 4 WebApp & admin 
dashboard html template with a large number of components, elegant design, 
clean and organized code

3. Usage of fancyBox v3.5.7 to make UI better

4. Usage of TweenMax: TweenMax was built for convenience, providing a single 
JavaScript file that contains everything you will commonly need for animating 
DOM elements.

5. Uses Moment.js
6. Swiper 8.4.7

Medusa Group revamped their DLS last on February 28, 2024 (ATTOW).

Coming to the Victim List, there are about 100+ Victims present on their Data Leak Site.

While publishing the leak (After time out), the group publishes the screenshots of important documents along with File-Tree like this:-

Victim Leak Page: Post Timeout

MEDUSA PARTNERING WITH OSINTCORP

As TOR Domains are not stable, Medusa Group releases their compromised victims’ data to a Telegram Channel called “Information Support”.

Medusa group partnered with this Telegram Channel which is known as OSINT_without_borders in November 2022 and this Telegram channel was created on July 30, 2021.

Medusa’s first announcement in the Channel

From this, it is evident that Medusa is NOT directly associated with this group or osintcorp.net; however they partnered with this channel to release their victim leaks like this:-

Leak Publish

Telegram would help to gain more traction for the leaks, as more visibility is attained for the group.

As time progressed, this channel mainly focused on Medusa Leaks. This is evident when they revamped their Telegram logo:-

Left to Right: Old to New 2022–Present

Earlier, the group had a shallow presence of Medusa’s figure on the globe, but the new logo features the engulfment of the Globe under Medusa, which can indirectly mean the group heavily relies on Medusa Ransomware Group.

NOTE: We are not diving deep into Robert Vroofdown/Robert Enaber who maintains OSINT CORP, as it will be an out-of-scope subject.

INFRASTRUCTURE HUNT

While fingerprinting the logo of Medusa Ransomware, I found the underpinning architecture that powers their DLS (Data Leak Site):-

IP of Medusa Ransomware Blog

IP: 45.9.148.39
Country: Netherlands
ASN: AS49447
Registrar: Nice IT Services Group
Server: nginx/1.18.0 (Ubuntu)
Running: Bootstrap, JQuery

This IP address has been seen since 2019 which are being involved in various
Phishing Campaigns targeting different entities such as:-

➡AN POST of Ireland
➡UAC-0102 Campaign against Ukraine (UKR.NET)
➡ANZ of Australia

In this, “Human Verify” is recorded in the header of the website. We also know the fact that Medusa had implemented Captcha Challenge to proceed to their website, to thwart any crawlers.

“Human Verify” is present in Medusa’s TOR Data Leak Site

When the request gets loaded, the following page is loaded with Captcha Challenge:-

Captcha Verification by Medusa

Upon digging further, we also exposed the IP address of Jellyfish — which is the blog name of MEDUSA, that is being circulated among Telegram Channels.

Domain: jelly.fra1.digitaloceanspaces.com
IP: 5.101.109.44 
Country: Germany
ASN: 14061 
Hosting: Digital Ocean
Running: AWS Instance

The IP address seems to be a shared infrastructure which was earlier used to
host Phishing campaigns. 

This ASN was a part of TOR Relay previously, also used in delivering Formbook
Malware.

IOC

MD5 with FileNames
==================
8cd11f34d817a99e4972641caf07951e: gaze.exe, 657c0cce.exe
a57f84e3848ab36fd59c94d32284a41e: 525589___3cc62427-6847-44ba-bee2-7fbffc020834.exe
2c1ea382dd3815054fddae2268329690: irt_medusa_16925292660.zip
e4b7fdabef67a0550877e6439beb093d: update.exe, 7d68da8a.exe
47386ee20a6a94830ee4fa38b419a6f7: gaze.exe, gaze.bin, MEDUSA
49b53d3c715ec879efeb51d386b9d923: $RQ4IKQ4.exe, gaze.exe
a57f84e3848ab36fd59c94d32284a41e: 525589___3cc62427-6847-44ba-bee2-7fbffc020834.exe
84b88ac81e4872ff3bf15c72f431d101: gaze.exe, unknown, Medusa.bin

IP Addresses
============
2.20.40.170
23.57.86.196
185.5.160.185 
185.5.160.200 
23.32.46.17 
95.101.20.75
20.190.177.82

PS: Only picked high-confidence IPs in the IOC list.

Follow me on X/Twitter for interesting DarkWeb/InfoSec Short findings! ;-)

NOTE:- The article is purely an Individual Research and is not subjected to be used/published anywhere without the Author’s consent.