A ransomware operation known as Medusa has begun to pick up steam in 2023, targeting corporate victims worldwide with million-dollar ransom demands. The Medusa operation started in June 2021 but had relatively low activity, with few victims. However, in 2023 the ransomware gang increased in activity and launched a ‘Medusa Blog’ used to leak data for victims who refused to pay a ransom. Due to the commonly used name, there has been some confusing reporting about this ransomware family, with many thinking it’s the same as MedusaLocker. However, the Medusa and MedusaLocker ransomware operations are entirely different. The MedusaLocker operation launched in 2019 as a Ransomware-as-a-Service, with numerous affiliates, a ransom note commonly named How_to_back_files.html, and a wide variety of file extensions for encrypted files. However, the Medusa ransomware operation launched around June 2021 and has been using a ransom note named !!!READ_ME_MEDUSA!!!.txt and a static encrypted file extension of .MEDUSA. The two groups also have different Tor websites associated with each group. Like most enterprise-targeting ransomware operations, Medusa has a data leak site named ‘Medusa Blog.’ This site is used as part of the gang’s double-extortion strategy, where they leak data for victims who refuse to pay a ransom. When a victim is added to the data leak, their data is not immediately published. Instead, the threat actors give the victims paid options to extend the countdown before data is released, to delete the data, or to download all of the data. These three options are done to apply extra pressure on the victim to scare them into paying a ransom. Unfortunately, no known weaknesses in the Medusa Ransomware encryption allow victims to recover their files for free.
12 Essentials for a Successful SOC Partnership
As cyber threats continue to impact businesses of all sizes, the need for round-the-clock security