Medusa is a type of ransomware that encrypts data and appends the “.MEDUSA” extension to filenames. It was first observed in June 2021 and is considered an active threat. The Medusa ransomware gang has been targeting corporate victims worldwide with million-dollar ransom demands.
Medusa ransomware appears to operate as a Ransomware-as-a-Service (RaaS) model where developers work with global affiliates and share the profits.
In March 2023 Medusa attacked the Minneapolis school district. The gang demanded a $1 million ransom from the district to delete the data allegedly stolen. Since the district did not pay (which is the right course of action) the stolen data was made available on the darknet website of the gang.
Medusa is ransomware, a type of malware that encrypts and locks the victims’ files and then requests a ransom in exchange for the decryption key. This seems to be Ransomware as a Service (RaaS) type of malware. This means that affiliates have their own ransom note and file extension. However, every Medusa attack works the same way to compromise the network and encrypt the data.
Confirmed Name
Threat Type
Encrypted Files Extension
Ransom Demanding Message
Is There a Free Decryptor Available?
Detection Names
Symptoms
Ransomware family, type & variant
Distribution methods
Consequences
Prevention
Medusa Tor negotiation site
Medusa can enter and compromise computers and networks through system vulnerabilities like vulnerable RDP and phishing emails.
Spam email campaigns. This a phishing email attack where hackers use social engineering to deceive victims into clicking malicious links or attachments. After that, the exploit kit is downloaded into the machine and the threat actors can trigger ransomware at any moment. These emails can be targeted when hackers intend to access a specific business or can be non-targeted phishing when they send a mass malware spam campaign.
Vulnerable remote service. One more way Medusa ransomware attacks happen is through unsecured external remote services. Attackers will exploit Remote Desktop Protocol (RDP) tools whose credentials are known, reused, weak, or rephrased to gain access to businesses’ networks and leak data.
Known software vulnerabilities. Hackers use software with known vulnerabilities to attack businesses as well. That’s why it’s very important to also keep every software updated and protect remote administration tools like RDP.
This is an example of the Medusa ransom note:
—————————–[ Hello, ******** !!! ]————————–
WHAT HAPPEND?
————————————————————
We have PENETRATE your network and COPIED data.
* We have penetrated entire network including backup system and researched all about your data.
* And we have extracted all of your important and valuable data and copied them to private cloud storage.
We have ENCRYPTED your files.
While you are reading this message, it means all of your files and data has been ENCRYPTED by world’s strongest ransomware.
All files have encrypted with new military-grade encryption algorithm and you can not decrypt your files.
But don’t worry, we can decrypt your files.
There is only one possible way to get back your computers and servers – CONTACT us via LIVE CHAT and pay for the special
MEDUSA DECRYPTOR and DECRYPTION KEYs.
This MEDUSA DECRYPTOR will restore your entire network, This will take less than 1 business day.
WHAT GUARANTEES?
—————————————————————
We can post your data to the public and send emails to your customers.
We have professional OSINTs and media team for leak data to telegram, facebook, twitter channels and top news websites.
You can suffer significant problems due disastrous consequences, leading to loss of valuable intellectual property and other sensitive information,
costly incident response efforts, information misuse/abuse, loss of customer trust, brand and reputational damage, legal and regulatory issues.
After paying for the data breach and decryption, we guarantee that your data will never be leaked and this is also for our reputation.
YOU should be AWARE!
—————————————————————
We will speak only with an authorized person. It can be the CEO, top management, etc.
In case you ar not such a person – DON’T CONTACT US! Your decisions and action can result in serious harm to your company!
Inform your supervisors and stay calm!
If you do not contact us within 3 days, We will start publish your case to our official blog and everybody will start notice your incident!
——————–[ Official blog tor address ]——————–
Using TOR Browser(hxxps://www.torproject.org/download/):
–
CONTACT US!
———————-[ Your company live chat address ]—————————
Using TOR Browser(hxxps://www.torproject.org/download/):
–
Or Use Tox Chat Program(hxxps://qtox.github.io/)
Add user with our tox ID : 4AE245548F2A225882951FB14E9BF87E E01A0C10AE159B99D1EA62620D91A372205227254A9F
Medusa ransomware compromises your business network by finding vulnerabilities, such as unsecured RDP. After that, then ransomware will work to encrypt your data and demand a ransom in exchange for the decryptor.
Medusa ransomware’s primary infection method is through unsecured Remote Desktop Protocol (RDP). Phishing is also a second method this group uses to get access to organizations’ networks and lock the data.
Medusa ransomware uses PowerShell for command and scripting interpreters. It also deletes shadow copy backups and other system backups to make it impossible for victims to restore their files.
After that, the malware uses the Windows built-in tool called Microsoft Connection Manager Profile Installer to run commands with high privileges.
At this phase, Medusa ransomware will deactivate defense software such as antivirus and antimalware. It can also boot in Safe Mode to limit endpoint defenses.
Afterward, Medusa will use remote service to compromise other computers and devices within the network and spread the ransomware payload.
The final phase is for data encryption and to inhibit system recovery. At this point every file will have a new file extension and the ransom note will be on the desktop.
We already mentioned several ways you can prevent Medusa ransomware attacks. Here is a complete list of what to do to keep your data and business safe.
Always use strong and unique passwords for each account and only share them with necessary people.
You can use two-factor authentication or biometric unlock to ensure that only authorized people have access to folders, devices, or accounts.
Unused accounts are vulnerabilities that hackers can exploit. Deactivate and close unused accounts as well as those used by past employees.
Also, configure access controls according to the principle of least privilege to increase security.
Outdated software is a weak point. That’s because new updates can create protection against new types of malware, such as Medusa.
Keep at least three copies of your data, having at least one stored offline and off-site. This can guarantee that, even if you’re hit by a disaster, being natural or human-made (like ransomware), your data is always safe.
Regular backups can prevent downtimes and ensure you never lose any sensitive data.
You can either have an IT team to guarantee your business security or hire a cybersecurity service.
Either way, you must look for vulnerabilities in the network, such as back doors, exploit kits, and youtube software.
Data recovery plans are documents that work as guides on what to do in case of a disaster. This can help you restore your business faster and more securely.
See how to create a data recovery plan with our in-depth guide.
The first step to recover from the Medusa attack is to isolate the compromised computer by disconnecting it from the internet and removing any connected device. Then, you must contact local authorities. In the case of US residents and businesses, it is the local FBI field office and the Internet Crime Complaint Centre (IC3).
To report a ransomware attack you must gather every information you can about it, including:
You must not delete the ransomware, and keep every evidence of the attack. That’s important for digital forensics so experts can trace back to the hacker group and identify them. Is using the data on your infected system so that authorities can investigate the attack and find the responsible. A cyber attack investigation is not different from any other criminal investigation: it needs evidence to find the attackers.
After isolating the device and contacting authorities, you must follow the next steps to retrieve your data:
A Cyber Incident Response is the process of responding to and managing a cybersecurity incident. An Incident Response Retainer is a service agreement with a cybersecurity provider that allows organizations to get external help with cybersecurity incidents. It provides organizations with a structured form of expertise and support through a security partner, enabling them to respond quickly and effectively in the event of a cyber incident.
An incident response retainer offers peace of mind to organizations, offering expert support before and in the aftermath of a cybersecurity incident. The specific nature and structure of an incident response retainer will vary according to the provider and the organization’s requirements. A good incident response retainer should be robust but flexible, providing proven services to enhance an organization’s long-term security posture.
You can check which ransomware infected your machine by the file extension (some ransomware uses the file extension as their name, such as hajd ransomware), or it will be on the ransom note. With this information, you can look for a public decryption key. However, Medusa doesn’t have it yet.
Before recovering your data, you must guarantee that your device is ransomware-free and that the attackers can’t make a new attack through exploit kits or other vulnerabilities. A ransomware removal service can delete the ransomware, create a forensics document for investigation, eliminate vulnerabilities, and recover your data.
Backups are the most efficient way to recover data. Make sure to keep daily or weekly backups, depending on your data usage.
If you don’t have a backup or need help removing the ransomware and eliminating vulnerabilities, you should contact a data recovery service. Paying the ransom does not guarantee your data will be returned to you. The only guaranteed way you can restore every file is if you have a backup of it. If you don’t, ransomware data recovery services can help you decrypt and recover the files.
SalvageData experts can safely restore your files and guarantee Medusa ransomware does not attack your network again.
Contact our experts 24/7 for emergency recovery service or find a recovery center near you.
In a recent data recovery service case, the SalvageData recovery team achieved a remarkable feat…
A corrupted database on PS4 occurs when the system's organized data collection becomes damaged or…
Encountering a black or blank screen on your Windows computer can be frustrating and alarming.…
LockBit ransomware has emerged as one of the most dangerous and prolific cyber threats in…
Recovery mode is a crucial feature for troubleshooting and restoring an iPad when it encounters…
Whether you’re a professional juggling important work documents or an individual cherishing irreplaceable memories, safeguarding…