Medusa ransomware has evolved to exploit known vulnerabilities, increasing risks of network compromise and data breaches, especially in sectors like finance and healthcare. Immediate actions include patch management, network segmentation, enhanced monitoring, and continuous employee education. Advanced capabilities, such as file encryption and data exfiltration, necessitate a multi-layered security approach to effectively prevent, detect, and respond to these threats.

Key Insights:

1. Evolving Tactics and Increased Risk:
   • Medusa ransomware now exploits known vulnerabilities like the critical SQL injection flaw in Fortinet’s FortiClient EMS (CVE-2023-48788). This shift increases the risk of rapid network compromise, data theft, and operational disruption, especially in critical sectors like finance, healthcare, government, and infrastructure.
2. Advanced Capabilities and High-Profile Attacks:
   • Medusa’s advanced capabilities include sophisticated file encryption, data exfiltration, and disabling security mechanisms using techniques like the “Gaze” binary. These capabilities have led to several high-profile attacks, resulting in significant data leaks and disruptions across various sectors.
3. Persistent Access and Lateral Movement:
   • Attackers use tools like Atera for remote management to maintain persistent access and move laterally within networks by dumping credentials from the LSASS process.
4. Strategic Recommendations and Mitigation Strategies:
   • Immediate actions include applying patches promptly, restricting network access, monitoring logs for unusual activities, and continuously training employees on phishing and security threats. Organizations should also implement advanced email filtering, regularly update software, deploy EDR and network monitoring tools, isolate infected systems promptly, and ensure secure, reliable backups.
5. Proactive Measures:
   • Adopting a multi-layered security approach is crucial. This includes prevention, detection, and swift response actions to defend against Medusa and other evolving ransomware threats.

Detailed Analysis

Medusa is a sophisticated ransomware-as-a-service (RaaS) platform known for its advanced capabilities, including encrypting files, exfiltrating data, and disabling security mechanisms. This report provides a comprehensive analysis of Medusa, detailing its indicators of compromise (IOCs), behavioral patterns, and recommended mitigation strategies.

Medusa ransomware first appeared towards the end of 2022 and gained prominence by early 2023, primarily targeting Windows operating systems. It is distinct from MedusaLocker, another RaaS that has been active since 2019. This analysis focuses exclusively on the Medusa ransomware, which has been affecting Windows-based organizations since its public emergence in 2023.

The ransomware is particularly dangerous due to its ability to propagate across networks, targeting various sectors such as finance, healthcare, government, and critical infrastructure. Medusa employs multiple infection vectors, including phishing emails, malicious attachments, and exploit kits. Once executed, it quickly encrypts files and presents a ransom note, demanding payment in cryptocurrency.

In addition to its encryption capabilities, Medusa is designed to exfiltrate sensitive data, adding pressure on victims to pay the ransom by threatening to leak the stolen information. The malware also disables security tools and modifies registry keys to maintain persistence and evade detection. Notably, Medusa uses a unique “Gaze” binary and sophisticated string encryption techniques, enhancing its stealth and efficacy​.

In recent months, Medusa ransomware has significantly ramped up its attacks, targeting a wide range of organizations globally. The surge in Medusa attacks has been marked by high-profile data breaches, leading to substantial data leaks and operational disruptions across various sectors.

Recent research highlights Medusa Ransomware Group’s OPSEC failures, which allowed infiltration into their cloud storage, as detailed in Dark Atlas Squad’s blog post. This infiltration provided insights into their operations, exfiltration methods using Rclone, and the use of put.io for storing stolen data.

Total Attacks over time:

Recent Victims and Data Breaches

Notable Recent Attacks:

• Gentlemen Group GmbH (27/07/2024)
  • Description: Provides services management, enterprise services (ESM), and management of identification and access (IAM). Located in Falkensee, Germany.
  • Data Leaked: 218.4 GB
• Vivara (24/07/2024)
  • Description: Largest retailer of jewelry in Brazil with over 200 stores.
  • Data Leaked: 1.18 TB, including confidential data of CEO, top management, employees, and customers, as well as evidence of illegal activities.
• Coffrage LD (23/07/2024)
  • Description: Specializes in formwork and concrete placement. Located in Quebec, Canada.
  • Data Leaked: 453.4 GB
• Owens Valley Career Development Center (23/07/2024)
  • Description: Provides social, educational, and economic development services to Native American communities. Located in California, USA.
  • Data Leaked: 300.2 GB
• AA Munro Insurance (22/07/2024)
  • Description: Offers personal and commercial insurance solutions. Located in Nova Scotia, Canada.
  • Data Leaked: Volume not specified

Recent Exploitation of Fortinet EMS Vulnerability

One of the latest and most significant developments in the modus operandi of Medusa ransomware is its exploitation of a critical vulnerability in Fortinet’s FortiClient Enterprise Management Server (EMS). This vulnerability, tracked as CVE-2023-48788, is a SQL injection flaw that allows unauthenticated attackers to execute arbitrary commands, leading to remote code execution (RCE).

Key Details of the Exploit:

1. Vulnerability and Exploitation Method:
   • SQL Injection: The vulnerability arises due to improper validation of incoming data in the FortiClient EMS, which allows attackers to inject malicious SQL commands through port 8013. This can lead to remote code execution (RCE).
   • Command Execution: Attackers can exploit this flaw to enable ‘xp_cmdshell’, a feature in Microsoft SQL Server that allows execution of shell commands, providing a way to gain full control over the server.
2. Persistent Access and Lateral Movement:
   • Remote Management Tools: Once they gain access, attackers use remote management tools to establish persistent access. For instance, they have been observed installing tools like Atera to maintain a foothold in compromised systems.
   • Credential Dumping: Attackers create local admin accounts and dump credentials from the LSASS process, enabling them to move laterally within the network and escalate privileges.
3. Observed Incidents:
   • Fortinet Vulnerability: Multiple incidents have been reported where the Medusa ransomware group exploited this vulnerability. The attackers targeted internet-exposed FortiClient EMS instances with the default port configuration, leveraging the SQL injection to execute malicious commands​.

Mitigation Strategies:

• Patch Management: Organizations using Fortinet FortiClient EMS should immediately apply patches provided by Fortinet to address CVE-2023-48788. This includes updating to FortiClient EMS versions 7.0.11, 7.2.3, or later.
• Network Segmentation: Restrict network access to management interfaces like the FortiClient EMS port 8013 to trusted hosts only.
• Monitoring and Logging: Regularly monitor and analyze logs for signs of SQL injection attempts and unusual command executions. This can help in early detection of exploitation attempts.

Indicators of Compromise (IOCs)

File-Based IOCs:

File Name	MD5	SHA1	SHA256
525589___3cc62427-6847-44ba-bee2-7fbffc020834.exe	a57f84e3848ab36fd59c94d32284a41e	—–	—–
gaze.exe, 657c0cce.exe	8cd11f34d817a99e4972641caf07951e	—–	—–
irt_medusa_16925292660.zip	2c1ea382dd3815054fddae2268329690	—–	—–
update.exe, 7d68da8a.exe	e4b7fdabef67a0550877e6439beb093d	—–	—–
gaze.exe, gaze.bin, MEDUSA	47386ee20a6a94830ee4fa38b419a6f7	—–	—–
$RQ4IKQ4.exe, gaze.exe	49b53d3c715ec879efeb51d386b9d923	—–	—–
525589___3cc62427-6847-44ba-bee2-7fbffc020834.exe	a57f84e3848ab36fd59c94d32284a41e	—–	—–
gaze.exe, unknown, Medusa.bin	84b88ac81e4872ff3bf15c72f431d101	—–	—–

Network-Based IOCs:

IP Address	Notes	URL	Geolocation
91.92.246.110	Known indicators for Medusa attacks	91.92.246.110/welcome	Netherlands
2.20.40.170	Known indicators for Medusa attacks	—–	France
185.5.160.185	Known indicators for Medusa attacks	—–	Russia
185.5.160.200	Known indicators for Medusa attacks	—–	Russia
23.32.46.17	Known indicators for Medusa attacks	—–	United States
95.101.20.75	Known indicators for Medusa attacks	—–	Italy
20.190.177.82	Known indicators for Medusa attacks	—–	France

Behavioral Patterns

• Infection Vectors: Medusa is typically delivered through phishing emails, malicious attachments, and exploit kits.
• Execution: Upon execution, Medusa encrypts files and presents a ransom note demanding payment in cryptocurrency.
• Persistence: The malware modifies registry keys and creates scheduled tasks to maintain persistence.
• Data Exfiltration: Medusa collects and exfiltrates sensitive information before encrypting the files.
• Lateral Movement: Exploits network vulnerabilities to spread across the network.

Ransom Note Analysis

The following image shows a typical ransom note displayed by Medusa ransomware upon infection:

In the ransom note, Medusa claims to have penetrated the victim’s network and copied data, emphasizing the sensitive nature of the stolen information. It then explains that files have been encrypted and demands contact via live chat for decryption services, highlighting the urgency and severity of the attack.

Victim Gallery Analysis

The image below shows a screenshot from the Medusa ransomware group’s victim gallery on the darknet. 

The gallery displays multiple panels for different victims, each showing the ransom amount, the status of the ransom (pending or published), and the time remaining until the ransom demand expires. Panels marked with red indicate pending ransom demands, while those marked with green indicate that the data has already been published or dumped due to non-payment.

• Red Panels (Pending):
  • These panels indicate victims who have not yet paid the ransom. The ransom amount, countdown timer, and date of publication are visible. The example shows a ransom demand of $500,000 with a countdown to the deadline.
• Green Panels (Published):
  • These panels show victims whose data has been dumped because they did not pay the ransom. The date when the data was published is displayed. This serves as a warning to other potential victims about the consequences of non-payment.

Mitigation Strategies

Prevention:

• Email Filtering: Implement advanced email filtering solutions to block phishing emails and malicious attachments.
• Patch Management: Regularly update and patch software to fix vulnerabilities that Medusa exploits.
• User Education: Conduct regular training sessions to educate employees on recognizing phishing attacks and practicing safe browsing.

Detection:

• Endpoint Detection and Response (EDR): Deploy EDR solutions to monitor and respond to suspicious activities.
• Network Monitoring: Use network monitoring tools to detect unusual traffic patterns indicative of data exfiltration.
• File Integrity Monitoring: Implement file integrity monitoring to detect unauthorized changes to critical files.

Response

• Isolate Infected Systems: Immediately isolate infected systems to prevent further spread.
• Incident Response Plan: Activate your incident response plan to handle the infection efficiently.
• Backup and Recovery: Ensure regular, secure backups are available and test their integrity to recover encrypted data.

Remediation

• System Cleanup: Remove the malware from infected systems and restore from clean backups.
• Security Assessment: Conduct a thorough security assessment to identify and rectify security gaps.
• Post-Incident Review: Perform a post-incident review to improve defenses and response strategies for future threats.

Historical Context

Previous Campaigns:

Date	Description	Impact
February 2023	Medusa ransomware attack on the Minneapolis Public School (MPS) District, exfiltrating around 100 GB of data.	Operational disruption, exposure of sensitive student and faculty data, and ransom demand of $1 million.
March 2023	Attack on a financial institution, exfiltrating and encrypting sensitive financial data.	Financial data compromised, leading to substantial financial losses and regulatory scrutiny.
April 2023	Medusa ransomware attack on a large healthcare provider, encrypting patient records and disrupting services.	Major operational disruption, financial losses, and reputational damage.
May 2023	Targeted attack on a government agency, leading to widespread encryption of critical infrastructure.	Major service outages, national security concerns, and extensive recovery efforts.
September 2023	Medusa ransomware attack on the Philippine Health Insurance Corporation (PhilHealth), stealing almost 750 GB of data.	Exposure of sensitive data from millions of members and ransom demand of $300,000.
November 2023	Breach of Toyota Financial Services (TFS) systems, exfiltrating data and demanding an $8 million ransom.	Significant operational impact, exposure of financial documents, and heightened security concerns.

Evolution:

Medusa ransomware emerged as a significant threat in late 2022. Initially observed as a basic ransomware, it evolved to include advanced encryption techniques, anti-detection mechanisms, and capabilities for data exfiltration and lateral movement by 2023. The ransomware has become known for its advanced encryption methods, double extortion tactics, and its ability to disable security tools and propagate across networks.

Recommendations

• Integrate IOCs: Regularly update threat detection systems with the latest IOCs to enhance detection capabilities.
• Conduct Simulations: Perform regular cybersecurity simulations and drills to ensure preparedness for potential Medusa attacks.
• Collaborate: Share threat intelligence with industry peers and collaborate on threat mitigation strategies.
• Continuous Monitoring: Implement continuous monitoring of network traffic and endpoints for signs of compromise.
• Backups: Ensure valid, recoverable backups of all critical information that you cannot afford to lose.

Actionable Recommendations for Decision-Makers:

Adopt a Proactive Security Posture:

• Regularly update all software and systems to address known vulnerabilities.
• Implement advanced email filtering and endpoint detection solutions.
• Educate employees on recognizing phishing attempts and safe browsing practices.

Enhance Monitoring and Incident Response:

• Deploy Endpoint Detection and Response (EDR) tools to monitor for suspicious activity.
• Regularly review and analyze logs for signs of compromise.
• Ensure a robust incident response plan is in place and tested.

Collaborate and Share Intelligence:

• Participate in threat intelligence sharing initiatives to stay informed about evolving threats.
• Collaborate with industry peers to develop and implement best practices for threat mitigation.

Invest in Continuous Improvement:

• Conduct regular security audits and penetration testing to identify and address vulnerabilities.
• Stay updated on the latest threat intelligence reports and adjust defenses accordingly.

Conclusion

Medusa ransomware represents a significant and evolving threat to various sectors, including finance, healthcare, government, and critical infrastructure. Its advanced capabilities, such as file encryption, data exfiltration, and disabling security mechanisms, make it a formidable adversary. The ransomware’s ability to propagate across networks and its utilization of multiple infection vectors, including phishing emails, malicious attachments, and exploit kits, further heighten its danger.

Organizations must adopt a multi-layered security approach to defend against Medusa and similar ransomware threats. This includes implementing preventive measures like advanced email filtering, regular patch management, and user education. Detection strategies should involve endpoint detection and response (EDR), network monitoring, and file integrity monitoring. In the event of an infection, swift response actions, including system isolation, incident response plan activation, and reliable backup and recovery processes, are crucial. Additionally, thorough remediation steps, such as malware removal, security assessments, and post-incident reviews, are essential to strengthen defenses and improve response strategies.

By understanding the comprehensive threat posed by Medusa ransomware, organizations can better prepare and protect themselves against this and other ransomware attacks.

Need Assistance?

If you have fallen victim to Medusa ransomware or need assistance in improving your cybersecurity defenses, contact us immediately for expert support and guidance.

Contact Information:

• Website: OP Innovate 

Stay Secure. Stay Informed.

OP Innovate Research Team.