A fast rising ransomware outfit is escalating its activities and has launched a new blog offering victims a variety of payoff options, according to a report released Thursday by Palo Alto Networks’ Unit 42. The new Medusa Blog is used by the group to post stolen data with the threat of exposing the data if a victim doesn’t comply with the group’s ransom demands.

At the onion site, which can be accessed via the Tor network, a victim can see a “countdown” to the time their data is made public and available to download, a price tag for deleting the data, and the price of a time extension—US$10,000—for delaying exposure of the data to the public.

In addition to the Medusa Blog, the group has established a public Telegram channel named “information support,” which is more accessible than traditional Dark Web onion sites, for exposing files pilfered from compromised organizations.

“In the last year we’ve seen a significant number of high severity, internet accessible vulnerabilities that provided a notable opportunity for ransomware groups to exploit,” says Anthony Galiette, Sr., a reverse engineer with Unit 42. “We believe these critical vulnerabilities have contributed to Medusa’s increase in activity in recent months.

Medusa group has no code of ethics.

There may be another reason for Medusa’s increased activity. “Medusa has been very successful lately and notably they are a group that tends to focus specifically on the healthcare sector,” notes Darren Williams, CEO and founder of BlackFog, an endpoint security company. “This could be a contributing factor to their success as the healthcare sector is both rich with data but poor in terms of cybersecurity practices and investments with older legacy hardware and software.”

Doel Santos, a principal threat researcher at Unit 42, points out some distinctive aspects about the Medusa gang. “While technical capabilities vary between ransomware groups, Medusa is one of the few we have observed using tools such as NetScan for staging and deploying ransomware.”