From data leakage to multiple blackmails

Threat actors related to this Medusa ransomware Since dedicated data exfiltration sites first appeared on the dark web in February 2023, these groups have stepped up their activities to publish sensitive data of victims unwilling to agree to their demands.

Palo Alto Networks Unit 42 researcher Anthony said: “As part of a multi-ransomware strategy, when a victim’s data is posted on a leak site, the group will provide the victim with multiple options, such as extending the time, deleting the data, or downloading all Data,” Galliette and Doel Santos said in a report shared with The Hacker News.

“All of these options have a price tag that depends on the organization that is affected by that group.”

Medusa (not to be confused with Medusa Locker) refers to a family of ransomware that emerged in late 2022 and became prevalent in 2023. It is known for opportunistic attacks on a wide range of industries, including high-tech, education, manufacturing, healthcare, and retail. .

It is estimated that as many as 74 organizations will be affected by ransomware in 2023, with the majority located in the United States, United Kingdom, France, Italy, Spain and India.

Ransomware attacks orchestrated by the group first exploit internet-facing assets or applications with known unpatched vulnerabilities and hijack legitimate accounts, often using an initial access proxy to gain a foothold in the target network.

In one instance observed by the cybersecurity firm, Microsoft Exchange Server was exploited to upload a web shell, which was then used as a conduit to install and execute ConnectWise remote monitoring and management (RMM) software.

A noteworthy aspect of the infection is the reliance on living off the land (LotL) techniques to blend in with legitimate activities and avoid detection. The use of a pair of core drivers to terminate a hard-coded security product manifest was also observed.

The initial access phase is followed by discovery and reconnaissance of the infected network, and the attackers eventually launch the ransomware to enumerate and encrypt all files with the extensions .dll, .exe, .lnk, and .medusa (the extension given). to encrypted files).

For each infected victim, Medusa’s leak website displays information about the organization, the ransom demanded, the time remaining before the stolen material is publicly released, and the number of views to put pressure on the company.

Attackers also offer victims different options, all of which involve some form of ransom, to delete or download stolen data and seek an extension of time to prevent the data from being released.

As ransomware continues to become a rampant threat, targeting tech companies, healthcare, critical infrastructure, and everything in between, the threat actors behind it have become more brazen in their tactics, not just by resorting to threats of physical violence. Publicly naming and shaming organizations and even dedicated public relations channels.

“Ransomware has changed many aspects of the threat landscape, but a key recent development has been its increasing commoditization and professionalization,” Sophos researchers said last month, adding that ransomware groups are “increasingly media savvy.”

According to Unit 42, Medusa not only has a media team to handle their branding efforts, but also utilizes a public Telegram channel called “Information Support” where the compromised organization’s files are shared and made available via clear Network access. This channel was established in July 2021.

“The Medusa ransomware emerged in late 2022 and gained notoriety in 2023, marking a significant development in the ransomware field,” researchers said. “This operation demonstrated a sophisticated propagation method, exploiting system vulnerabilities and initial access proxies, while Cleverly avoiding detection through off-the-ground living techniques.”

This development comes as Arctic Wolf Labs disclosed two cases in which victims of the Akira and Royal ransomware gangs were targeted for secondary ransomware by malicious third parties posing as security researchers.

Security researchers Stefan Hostetler and Steven Campbell said: “Threat actors made up the narrative that they were trying to help the victim organization, offering to compromise the servers of the original ransomware organization. infrastructure to remove leaked data.” They noted that threat actors sought approximately 5 Bitcoin in 2019. in exchange for services.

Previously, the National Cyber ​​Security Center of Finland (NCSC-FI) released a new report stating that the Akira ransomware incident in the country that exploited security flaws (CVE-2023-20269, CVSS) in Cisco VPN equipment will occur before the end of 2023. surge. Score: 5.0) Violation of domestic entities.