Medusa Grew New Snakes

12364610092?profile=RESIZE_400xThe threat actors associated with the Medusa ransomware have ramped up their activities following the debut of a dedicated data leak site on the dark web in February 2023 to publish sensitive data of victims unwilling to agree to their demands.   As part of their multi-extortion strategy, this group will provide victims with multiple options when their data is posted on their leak site, such as time extension, data deletion, or downloading all the data.  These options have a price tag depending on the organization impacted by this group.

The Roman author Ovid describes the mortal Medusa as a beautiful maiden seduced by Poseidon in the temple of Athena.  Such a sacrilege attracted the goddess' wrath, and she punished Medusa by turning her hair into snakes. While these stories sound fantastical today, to the ancient Greeks, they were quasi-historical.

Medusa (not to be confused with Medusa Locker) refers to a ransomware family that appeared in late 2022 before coming into prominence in 2023. It's known for opportunistically targeting high technology, education, manufacturing, healthcare, and retail industries.[1]


As many as 74 organizations, mostly in the US, the UK, France, Italy, Spain, and India, are estimated to have been impacted by the ransomware in 2023.   Ransomware attacks organized by the group commence with exploiting internet-facing assets or applications with known unpatched vulnerabilities and hijacking legitimate accounts, often employing initial access brokers to obtain a foothold to target networks.

In one instance, researchers observed a Microsoft Exchange Server being exploited to upload a web shell, which was then used as a conduit to install and execute the ConnectWise remote monitoring and management (RMM) software.  A notable aspect of the infections is the reliance on living-off-the-land (LotL) techniques to blend in with legitimate activity and sidestep detection. Also observed is using a pair of kernel drivers to terminate a hard-coded list of security products.

The initial access phase is followed by discovery and reconnaissance of the compromised network, with the actors ultimately launching the ransomware to enumerate and encrypt all files save for those with the extensions .dll, .exe, .lnk, and .medusa (the extension given to the encrypted files).

For each compromised victim, Medusa's leak site displays information about the organizations, ransom demanded, the amount of time left before the stolen data is released publicly, and the number of views in a bid to exert pressure on the company.  The cyber threat actors also offer different choices to the victim, all of which involve some form of extortion to delete or download the pilfered data and seek a time extension to prevent the data from being released.

As ransomware continues to be an uncontrolled threat, targeting tech companies, healthcare, critical infrastructure, and everything in between, the threat actors behind it are getting more brazen with their tactics, going beyond publicly naming and shaming organizations by resorting to threats of physical violence and even dedicated public relations channels.  Recent ransomware has changed many facets of the threat landscape, but a key recent development is its increasing commoditization and professionalization.  The actors have become more business savvy.

Medusa has a media team to handle its branding efforts likely and leverages a public Telegram channel named "information support," where files of compromised organizations are shared and can be accessed over the clarinet. The channel was set up in July 2021.  “The emergence of the Medusa ransomware in late 2022 and its notoriety in 2023 marks a significant development in the ransomware landscape," the researchers said. "This operation showcases complex propagation methods, leveraging both system vulnerabilities and initial access brokers, while adeptly avoiding detection through living-off-the-land techniques."

The development comes as Arctic Wolf Labs publicized two cases in which Akira and Royal ransomware gang victims were targeted by malicious third parties posing as security researchers for secondary extortion attempts.  Threat actors spun a narrative of trying to help victim organizations, offering to hack into the server infrastructure of the original ransomware groups involved to delete exfiltrated data, security researchers noted the threat actor sought about five (5) bitcoin in exchange for the service.

It also follows a new advisory from the Finnish National Cyber Security Centre (NCSC-FI) about a spike in Akira ransomware incidents in the country towards the end of 2023 by exploiting a security flaw in Cisco VPN appliances (CVE-2023-20269, CVSS score: 5.0) to breach domestic entities.


This article is presented at no charge for educational and informational purposes only.

Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization.  Call for assistance.  For questions, comments, a demo, or assistance, please contact the office directly at 1-844-492-7225, or   




Weekly Cyber Intelligence Briefings:

REDSHORTS - Weekly Cyber Intelligence Briefings



E-mail me when people leave their comments –

You need to be a member of Red Sky Alliance to add comments!