ZDNETFederal authorities are warning individuals and organizations to watch out for a dangerous ransomware campaign that has recently added hundreds of victims to its count. Identifying the ransomware as Medusa, the FBI, CISA, and MS-the ISAC (Multi-State Information Sharing and Analysis Center) have issued a joint advisory with details on how these attacks have played out and how people can defend themselves against them.What is Medusa?First spotted in June 2021, Medusa is a ransomware-as-a-service (RaaS) variant that targets critical infrastructure organizations, such as those in the medical, education, legal, insurance, technology, and manufacturing sectors. Using RaaS, the developers farm out work to affiliates who carry out the actual attacks. Since just last month, developers and affiliates have hit more than 300 victims. Medusa started as a closed ransomware variant, meaning that the same cybercriminals who develop the malware also carry out the attacks. But over time, it has transitioned to an affiliate model, where hired guns launch the attacks while the developers focus on ransom negotiations and other actions. Developers typically recruit affiliates on dark web forums and marketplaces, offering them anywhere from $100 to $1 million for exclusive work. Also: That weird CAPTCHA could be a malware trap – here’s how to protect yourselfThe affiliates compromise a targeted organization using one of two methods. Phishing campaigns are the primary approach, but the attackers also exploit unpatched software vulnerabilities to gain access to a company’s resources. Once that initial access is gained, the criminals use a variety of tools to advance further. Legitimate utilities such as Advanced IP Scanner and SoftPerfect Network Scanner are used to scan for vulnerable users, systems, and open ports to exploit. Tools like PowerShell and the Windows command prompt are used to compile a list of network and file resources. The next goal is to move laterally through the network to find files that can be stolen and encrypted. For that, the attackers use remote access software such as AnyDesk, Atera, and Splashtop in combination with Remote Desktop Protocol and PsExec. When they find a valid username and password, they’ll use PsExec to run certain files and processes with system-level privileges. Also: Why rebooting your phone daily is your best defense against zero-click attacksThroughout the entire attack, the criminals also need to cover their tracks and evade detection. For that, they may exploit vulnerable or signed drivers to kill endpoint detection and response tools. A utility known as Certutil is often used to skirt detection when accessing files for encryption. Additionally, the attackers may delete the PowerShell history to wipe their command lines. Double-extortion modelLike many other strains of ransomware, Medusa employs a double-extortion model. The stolen data is not only encrypted to prevent the victim from accessing it, but the criminals also threaten to release the data publicly unless the ransom is paid. Victims are told to respond to the ransom note within 48 hours, or else the attackers will contact them by phone or email. Also: Got a suspicious E-ZPass text? It’s a trap – how to spot the scamA Medusa data leak site lists the ransom demands with a countdown until the information is released publicly. But even before the countdown ends, Medusa will promote the sale of the stolen data to interested buyers. Victims can pay $10,000 in cryptocurrency to add another day to the timer. The reported culprit behind Medusa is a group called Spearwing, according to a report published by Symantec earlier this month. Since early 2023, the group has listed almost 400 victims on its data leak site, with the actual number likely much higher. Attackers using Medusa have demanded ransoms ranging from as low as $100,000 to as high as $15 million. More
