This post may contain affiliate links, please read our affiliate disclosure to learn more.
Medusa ransomware

Medusa’s Strategic Evolution: Blending Extortion and Stealth in Ransomware Operations

 By Nataly Vovk | Threat Intelligence Analyst
 Published on January 12th, 2024
This post was updated on February 20th, 2024

The Medusa ransomware group, active since late 2022, has intensified its activities in 2023, particularly after launching a data leak site on the dark web in February 2023. The ransomware has affected a broad spectrum of industries in multiple countries, primarily targeting internet-facing assets and applications with known vulnerabilities.

Kay Takeaway

  • Medusa ransomware’s activities surged after the launch of their dark web data leak site in February 2023
  • Options include time extension and data deletion, each with a specific cost.
  • Industries such as technology, education, and healthcare across several countries, including the U.S., U.K., and India, are affected
  • It involves exploiting internet-facing vulnerabilities and hijacking accounts, often using initial access brokers. Utilizes living-off-the-land methods and kernel drivers to terminate security products
  • The leak site displays victims’ information, ransom demands, and countdowns to release stolen data.

In February 2023, the threat actors behind Medusa ransomware, distinct from Medusa Locker, launched a dedicated data leak site on the dark web. This site publishes sensitive data from victims refusing to meet extortion demands. According to Palo Alto Networks Unit 42 researchers Anthony Galiette and Doel Santos, the group employs a multi-extortion strategy, offering victims various options on their leak site, such as time extensions, data deletion, or downloading the data for a price.

Stay One Step Ahead of Cyber Threats

Want to Be the Smartest Guy in the Room? Get the Latest Cybersecurity News and Insights.
We respect your privacy and you can unsubscribe anytime.

This ransomware family, which emerged in late 2022, has been known for targeting a diverse range of industries, including high technology, education, manufacturing, healthcare, and retail. In 2023, it has impacted around 74 organizations across the U.S., the U.K., France, Italy, Spain, and India.

The Medusa group initiates ransomware attacks by exploiting internet-facing assets or applications with known vulnerabilities and hijacking legitimate accounts. They often use initial access brokers to penetrate targeted networks. For example, the cybersecurity professionals observed an incident where a Microsoft Exchange Server was exploited to install and run the ConnectWise remote monitoring and management software.

Medusa’s operations are characterized by using living-off-the-land techniques to blend with legitimate activity and evade detection, along with kernel drivers to turn off security products. Once they gain access, they perform network reconnaissance and launch the ransomware to encrypt files, avoiding specific extensions like .dll and .exe.

Medusa’s ransomware strategy includes a leak site that lists information about compromised organizations, the ransom demanded, and a countdown timer to the public release of stolen data, exerting pressure on victims. They offer various extortion options, such as data deletion or download and a time extension.

The ransomware landscape has evolved, with gangs becoming more media-savvy and professionalized. This development in Medusa’s operations underscores the increasing sophistication of ransomware attacks, with complex propagation methods and advanced evasion techniques.

"Amateurs hack systems, professionals hack people."
-- Bruce Schneier, a renown computer security professional
Scroll to Top