CGI Weekly

Technical Threat Deep Dive: Medusa Ransomware

Threat Overview

Medusa is an advanced Ransomware-as-a-Service (RaaS) operation that emerged in 2021. Its affiliates use this service to conduct double extortion attacks targeting multiple sectors globally. Medusa's architecture includes centralized negotiation portals, consistent use of living-off-the-land (LOTL) techniques, and persistent exploitation of high-profile vulnerabilities.

Initial Access Vectors

Medusa affiliates commonly leverage:

• Phishing campaigns (malicious attachments or links).
• Exploitation of public-facing applications using known vulnerabilities, particularly:
• CVE-2024-1709 (ScreenConnect Authentication Bypass)
• CVE-2023-48788 (Fortinet FortiClient EMS SQL Injection)
• Use of Initial Access Brokers (IABs):
• Access purchased from criminal forums.
• Deployment of Remote Monitoring and Management (RMM) tools post-compromise (e.g., AnyDesk, ScreenConnect).

Discovery & Reconnaissance

Tools and techniques observed:

• Advanced IP Scanner and SoftPerfect Network Scanner for mapping network architecture.
• Port Scanning targeting services on ports:
• TCP: 21 (FTP), 22 (SSH), 23 (Telnet), 80 (HTTP), 115 (SFTP), 443 (HTTPS)
• Database: 1433 (MSSQL), 3050 (InterBase), 3128 (HTTP Proxy)
• Active Directory reconnaissance via Living-off-the-Land Binaries and Scripts (LOLBAS).

Lateral Movement

• RDP abuse and credential theft to escalate privileges.
• Deployment of RMM tools for persistence and further exploitation.
• Usage of compromised privileged accounts to spread laterally.

Execution & Impact

• Encryption of data using custom payloads.
• Double extortion model:
• Data exfiltration prior to encryption.
• Threat of data leakage via “Medusa Blog” on TOR networks if ransom demands are unmet.
• Ransom demands negotiated via dedicated chat portals.

Persistence Techniques

• Creation of new privileged user accounts.
• Deployment of persistence mechanisms via:
• Scheduled tasks.
• Registry key modifications.
• RMM tools maintaining C2 access.

Data Exfiltration & Collection

• Bulk exfiltration via Rclone or MegaSync.
• Pre-encryption data theft enables double extortion.
• Use of encrypted channels to evade detection.

Indicators of Compromise (IOCs)

CISA provides detailed IOCs in STIX formats:

• STIX XML
• STIX JSON

Common artifacts include:

• Suspicious RDP logins.
• Unexpected administrative account creation.
• Exfiltration tools like Rclone in unusual directories.

Mitigations & Hardening Recommendations

Patch & Vulnerability Management

• Prioritize patches for CVE-2024-1709 and CVE-2023-48788.
• Conduct vulnerability scans regularly.

Network Defense

• Enforce strict network segmentation.
• Disable unused ports and services.
• Implement access control lists (ACLs) on edge devices.

Credential Hygiene

• Enforce Multi-Factor Authentication (MFA) on all privileged accounts.
• Monitor for suspicious authentication attempts.
• Disable legacy authentication protocols.

Data Backup & Recovery

• Maintain encrypted, offline backups.
• Regularly test restoration procedures.

Logging & Monitoring

• Enable centralized logging.
• Monitor for LOLBAS activities and suspicious RMM tool deployments.
• Use Endpoint Detection and Response (EDR) solutions with behavioral analytics.

Relevant Resources

• CISA Advisory: #StopRansomware: Medusa Ransomware
• Additional defense guidance: StopRansomware.gov