Medusa ransomware gang gains momentum and attacks companies around the world

The Medusa extortion campaign began in June 2021. Then its activity was relatively low, and there were few victims. This year, the situation has changed: the gang stepped up and launched its own blog, used to publish data leaks of victims who refused to pay the ransom.

The Medusa group received media attention last week after took responsibility for attacking the school system in the city of Minneapolis and even shared a video with stolen data.

Many malware families are named “Medusa”. These include a Mirai-based botnet with ransomware capabilities, Android malware, and the notorious MedusaLocker ransomware operation. These are all completely different malicious campaigns. Due to the similar names of malware, even the researchers themselves sometimes make mistakes in their reports.

The Medusa ransomware supports many arguments that can change how it works. During normal startup, the program automatically shuts down over 280 Windows services and processes so that nothing interferes with file encryption. The malware then looks for and deletes Windows backups to prevent them from being used to restore files.

The current version of Medusa encrypts files using the AES-256+RSA-2048 method using the BCrypt library. Encrypted files get the extension “.MEDUSA”, and in each folder that contained any data, the file “!!!READ_ME_MEDUSA!!!.txt” appears, containing information about what happened to the victim’s files, as well as how can be corrected.

The ransom note includes the attackers’ contact information, their Telegram channel, email, and onion sites accessible only through the Tor Browser:

• a data leak site used by the gang as part of a double extortion strategy in which hackers leak data on victims who refuse to pay ransom;
• a negotiation site where, in a fully encrypted and secure chat, attackers can issue ultimatums to their victims or make recommendations for decrypting data after receiving a ransom.

Unfortunately, none of the known vulnerabilities in Medusa ransomware encryption has yet allowed victims to restore their files for free. Researchers will continue to analyze the ransomware for flaws that allow not paying a ransom to attackers.

The optimism of researchers is not without reason. After all, hackers are people too, and they can make mistakes. For example, in early February we wrote about Clop ransomware for Linux a flaw in which allowed security researchers to quickly produce a special script for free decryption of victims’ data.