Since June 2021, Medusa ransomware-as-a-service (RaaS) affiliates have hit over 300 critical infrastructure organizations, the US government warns.
Medusa was initially operated as a closed ransomware, and, although it is currently using an affiliate model, ransom negotiations are still conducted by the malware developers, CISA, the FBI, and the Multi-State Information Sharing and Analysis Center (MS-ISAC) note in a joint alert.
The group engages in double extortion, encrypting victims’ data but also stealing it and threatening to leak it unless a ransom is paid. Medusa’s operators offer payments ranging between $100 and $1 million to affiliates working exclusively for them, the three agencies say.
The group has been observed relying on phishing to steal victims’ credentials, and exploiting unpatched vulnerabilities for initial access, including CVE-2024-1709 (the ’SlashAndGrab’ ScreenConnect flaw) and CVE-2023-48788 (SQL injection bug in Fortinet EMS).
The Medusa ransomware affiliates have been using living-off-the-land (LOTL) and legitimate tools for reconnaissance, detection evasion, lateral movement in the compromised environments, and data exfiltration.
Before encrypting the victim’s data, the attackers disable security software, terminate processes related to backups, security, data sharing, and communication, and erase shadow copies to prevent file recovery.
“The actors then manually turn off and encrypt virtual machines and delete their previously installed tools,” CISA, FBI, and MS-ISAC say.
The Medusa ransomware group lists victims on its Tor-based leak site, where it posts ransom demands and advertises the sale of data. It has been observed contacting victims by phone or email, and allowing victims to extend the ransom payment deadline by paying an additional $10,000 per day.
“FBI investigations identified that after paying the ransom, one victim was contacted by a separate Medusa actor who claimed the negotiator had stolen the ransom amount already paid and requested half of the payment be made again to provide the “true decryptor”— potentially indicating a triple extortion scheme,” the US government alert reads.
CISA, FBI, and MS-ISAC published their joint advisory roughly a week after Symantec warned of an increase in Medusa attacks. Tracked as Spearwing and Storm-1175, the ransomware gang has been targeting organizations in the US, Australia, Israel, India, Portugal, the UK, UAE, and other countries.
Related: FBI: Fake Ransomware Attack Claims Sent to US Executives via Snail Mail
Related: Watch Now: Ransomware Resilience & Recovery Summit – All Sessions Available on Demand
Related: FBI Warns of HiatusRAT Attacks on Cameras, DVR Systems
Related: CISA Warns of Attacks Exploiting NextGen Healthcare Mirth Connect Flaw