Medusa Ransomware Group Gains Attention for Nationwide Attacks
The Medusa extortion campaign has been operating since June 2021, with low activity and few victims. However, the group’s recent move to launch its own blog to publish leaks of victims who refused to pay a ransom has put them in the spotlight.
Last week, the group gained media attention after claiming responsibility for the recent attack on Minneapolis’ school system and even shared a video containing stolen data.
The name “Medusa” is commonly used among various harmful programs, including a botnet based on Mirai with extortion capabilities, malicious software for Android, and the well-known Medusalocker extortionist operation. These separate campaigns are often confused by researchers due to their similar names.
Medusa encryption uses multiple tactics to ensure successful encryption, including automatically ending over 280 Windows services and processes to prevent interference with file encryption. The malware also searches and removes backups of Windows to prevent their use in restoring files. The current version of Medusa encrypts files with AES-256+RSA-2048 and adds the extension “.Medusa” to encrypted files. Each folder containing data also includes a file named “!!! Read_me_Medusa !!!. Txt,” providing information about the victim’s files and how to resolve the issue.
Medusa’s contact information is included in a recording note for victims, including the group’s Telegram channel, email, and onion sites available only through the Tor Browser, used for data leakage and site negotiations as part of a double extortion strategy. Unfortunately, researchers have yet to find any vulnerabilities in Medusa’s encryption that would allow victims to restore their files without paying the ransom.
However, researchers remain optimistic, knowing that even hackers can make mistakes. One example of this was the extorting Clop software for Linux, which contained a flaw allowing security researchers to quickly make a script for free decryption of victims’ files.