A ransomware operation known as Medusa has begun to pick up steam in 2023, targeting corporate victims worldwide with million-dollar ransom demands. The Medusa operation started in June 2021 but had relatively low activity, with few victims. However, in 2023 the ransomware gang increased in activity and launched a ‘Medusa Blog’ used to leak data for victims who refused to pay a ransom. Due to the commonly used name, there has been some confusing reporting about this ransomware family, with many thinking it’s the same as MedusaLocker. However, the Medusa and MedusaLocker ransomware operations are entirely different. The MedusaLocker operation launched in 2019 as a Ransomware-as-a-Service, with numerous affiliates, a ransom note commonly named How_to_back_files.html, and a wide variety of file extensions for encrypted files. However, the Medusa ransomware operation launched around June 2021 and has been using a ransom note named !!!READ_ME_MEDUSA!!!.txt and a static encrypted file extension of .MEDUSA. The two groups also have different Tor websites associated with each group. Like most enterprise-targeting ransomware operations, Medusa has a data leak site named ‘Medusa Blog.’ This site is used as part of the gang’s double-extortion strategy, where they leak data for victims who refuse to pay a ransom. When a victim is added to the data leak, their data is not immediately published. Instead, the threat actors give the victims paid options to extend the countdown before data is released, to delete the data, or to download all of the data. These three options are done to apply extra pressure on the victim to scare them into paying a ransom. Unfortunately, no known weaknesses in the Medusa Ransomware encryption allow victims to recover their files for free.
Organizations should initiate proactive measures to ensure they are protected from ransomware. The US DHS website, stopransomware.gov, has links to resources that help organizations protect their systems from intrusions that lead to ransomware. To protect against ransomware attacks, organizations should:
• Regularly back up data, air gap, and password protect backup copies offline.
• Ensure copies of critical data are not accessible for modification or deletion from the system where the data resides.
• Implement network segmentation.
• Implement a recovery plan to maintain and retain multiple copies of sensitive data
• Implement monitoring of security events on employee workstations and servers, with a 24/7 Security Operations Center to detect threats and respond quickly.
• Use strong passwords and regularly change passwords to network systems and accounts, implementing the shortest acceptable timeframe for password changes.
• Avoid reusing passwords for multiple accounts.
• Focus on cyber security awareness and training.
• Regularly provide users with training on information security principles and techniques as well as overall emerging cybersecurity risks and vulnerabilities.