Unit 42 Threat Intelligence analysts have noticed an increase in Medusa ransomware activities and a shift towards extortion tactics, with the creation of their Medusa Blog in 2023. The blog is used to reveal sensitive data from victims who refuse to meet ransom demands. The threat actors offer victims various options such as time extensions, data deletion, and data downloads, each with a corresponding price tag. Additionally, Medusa threat actors use a public Telegram channel to share data from compromised organizations.
The Unit 42 Incident Response team has responded to a Medusa ransomware incident and has discovered tactics, tools, and procedures used by the group. Palo Alto Networks customers are protected against Medusa ransomware through Cortex XDR and WildFire Cloud-Delivered Security Services. The Cortex XDR agent provides out-of-the-box protections that prevent adverse behavior from Medusa ransomware samples. Prisma Cloud Defender Agents can monitor Windows virtual machines for known Medusa malware, and Cortex Xpanse can detect vulnerable services exposed to the internet that may be infected with Medusa ransomware.
The article provides an overview of Medusa Ransomware as a Service and its impact on Windows environments. The ransomware group mainly targets businesses and implements living-off-the-land techniques by using legitimate software for malicious purposes. The group’s multi-extortion strategy includes their dedicated leak site Medusa Blog and a public Telegram channel for data sharing and negotiation with victims. The article concludes with an analysis of the sectors most affected by Medusa ransomware and an exploration of the tools and techniques used by the group.