An analysis conducted by Renzon Cruz, Principal DFIR Consultant at Unit 42 by Palo Alto Networks, provides valuable insights into the behavior, distribution, and impact of the Medusa ransomware.
Ransomware has emerged as a significant threat, encrypting victim’s files and demanding a ransom for their release. Medusa is a recent variant of ransomware that has caught the attention of security researchers. This article aims to present an overview of Medusa’s impact on the country’s health insurance program, shedding light on its distribution patterns, behavior, and consequences.
Cruz explains that Medusa is primarily distributed as an executable file. The ransomware employs various tactics to gain initial access. It may exploit vulnerabilities, launch well-crafted phishing attacks, or launch brute force attacks on exposed RDP servers. Once executed, Medusa encrypts files, appending the .MEDUSA extension, and deletes backups and virtual hard disks to make data recovery impossible.
The file size of Medusa is 1.5 MB, and it utilizes UPX packing to evade detection by antivirus software. Additionally, the executable file cleverly disguises itself as a Microsoft Word icon to deceive users into opening it. The ransom note, named !!!READ_ME_MEDUSA!!!.txt, instructs victims to contact the attackers through TOR chat or a TOX ID. However, at the time of writing, both methods were non-functional.
Medusa’s malicious actions encompass several steps. Firstly, it encrypts files with various extensions using an AES-256 encryption algorithm. The .MEDUSA extension is then added to the encrypted files. Secondly, a ransom note is created in every folder containing encrypted files, providing instructions for contacting the attackers. Unfortunately, current victims have no means of communication or file recovery. Thirdly, Medusa terminates 228 services on the infected computer, including prominent security software, disabling any attempts to run antivirus scans or remove the ransomware.
In addition, Medusa initiates multiple processes like powershell.exe, net.exe, vssadmin.exe, taskkill.exe, and cmd.exe. These processes are responsible for deleting backup and disk-related files associated with Windows Backup and Restore feature or virtual machines. By removing these files, Medusa wipes out any chances of data restoration from backups or snapshots. Furthermore, the ransomware eliminates the Volume Shadow Copy (VSS) on the infected computer, further hindering file recovery.
Cruz emphasizes the severity of Medusa’s threat, warning that it can cause irreversible damage to victims’ data and systems. To protect against Medusa and similar threats, users are advised to avoid opening suspicious attachments or clicking on unfamiliar links. Regularly updating security software is crucial, as is maintaining proper backup procedures and storing files in secure locations. Paying the ransom without obtaining the decryption key can lead to financial losses, while the ransomware’s access to encrypted files may expose sensitive information. Cruz also mentions that Medusa’s reach extends beyond Windows systems, highlighting a Linux server variant that typically deploys crypto-mining malware like XMRig. Work on Medusa analysis is ongoing, with Cruz promising to share further details in the future.