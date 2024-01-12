A fast rising ransomware outfit is escalating its activities and has launched a new blog offering victims a variety of payoff options, according to a report released Thursday by Palo Alto Networks' Unit 42. The new Medusa Blog is used by the group to post stolen data with the threat of exposing the data if a victim doesn't comply with the group's ransom demands.\n\nAt the onion site, which can be accessed via the Tor network, a victim can see a "countdown" to the time their data is made public and available to download, a price tag for deleting the data, and the price of a time extension\u2014US$10,000\u2014for delaying exposure of the data to the public.\n\nIn addition to the Medusa Blog, the group has established a public Telegram channel named "information support," which is more accessible than traditional Dark Web onion sites, for exposing files pilfered from compromised organizations.\n\n"In the last year we\u2019ve seen a significant number of high severity, internet accessible vulnerabilities that provided a notable opportunity for ransomware groups to exploit," says Anthony Galiette, Sr., a reverse engineer with Unit 42. "We believe these critical vulnerabilities have contributed to Medusa\u2019s increase in activity in recent months.\n\nMedusa group has no code of ethics.\n\nThere may be another reason for Medusa\u2019s increased activity. \u201cMedusa has been very successful lately and notably they are a group that tends to focus specifically on the healthcare sector,\u201d notes Darren Williams, CEO and founder of BlackFog, an endpoint security company. \u201cThis could be a contributing factor to their success as the healthcare sector is both rich with data but poor in terms of cybersecurity practices and investments with older legacy hardware and software.\u201d\n\nDoel Santos, a principal threat researcher at Unit 42, points out some distinctive aspects about the Medusa gang. \u201cWhile technical capabilities vary between ransomware groups, Medusa is one of the few we have observed using tools such as NetScan for staging and deploying ransomware.\u201d\n\nHe added that the group doesn\u2019t have a code of ethics, as some groups claim to have. \u201cThroughout 2023, we saw the group compromise multiple school districts and publish highly sensitive information about students,\u201d Santos says.\n\nMedusa uses initial access brokers for network access\n\nOther distinctions include Medusa having its own media and branding team, focusing on exploiting internet-facing vulnerabilities, and using initial access brokers (IABs) to gain access to systems. \u201cInitial access brokers provide threat actors with valet access to the front door of an organization,\u201d Galiette explains. \u201cWhile there\u2019s a cost associated with it, leveraging these groups has proven very lucrative in the past.\u201d\n\n\u201cOverall,\u201d Galiette adds, \u201cwe\u2019re seeing the more active or advanced ransomware groups leverage initial access brokers. The smaller or emerging ransomware groups don\u2019t necessarily have the capital to leverage IABs in the same way.\u201d\n\nThe group is also into double ransoms. \u201cThe use of a double ransom is notable for Medusa, where they leverage one ransom to decrypt the encrypted parts of an environment and a separate extortion demand to prevent leaking stolen data from their victims onto the larger internet,\u201d says Steve Stone, head of Rubrik Zero Labs, the cybersecurity research unit of Rubrik, a global data security and backup software company.\n\nIndiscriminate targeting a universal threat posed by ransomware actors\n\nThe emergence of the Medusa ransomware in late 2022 and its notoriety in 2023 marks a significant development in the ransomware landscape, the Unit 42 report noted. This operation showcases complex propagation methods, leveraging both system vulnerabilities and initial access brokers, while adeptly avoiding detection through living-off-the-land techniques.\n\nThe Medusa Blog signifies a tactical evolution toward multi-extortion, with the group employing transparent pressure tactics on victims through ransom demands publicized online, it continued. With 74 organizations across a spectrum of industries affected to date, Medusa's indiscriminate targeting emphasizes the universal threat posed by such ransomware actors.\n\n\u201cAs we can see from the statistics, the problem is not only getting worse, it is accelerating at a pace organizations cannot keep up with,\u201d adds Williams. \u201cWe also need to recognize that the AI revolution is playing a part in this trend, as we are now seeing threat actors train their systems on vulnerabilities, products, and people. While cybersecurity companies are also using AI for prevention, it is a game of cat and mouse right now and organizations are not adopting these new technologies fast enough, or at all, to provide adequate protection.\u201d