The Medusa ransomware gang has infected over 300 organizations in critical infrastructure sectors such as healthcare, manufacturing, and technology. A joint cybersecurity advisory published by CISA, the FBI, and MS-ISAC noted that Medusa has been active since 2021 and uses a double extortion model, where it encrypts victim data and threatens to publicly release exfiltrated data if a ransom is not paid.
The gang typically employs initial access brokers on cybercriminal forums to gain entry into victims’ environments. They use legitimate software, including remote access tools like AnyDesk, to move laterally within the network. Medusa actors also use Advanced IP Scanner and SoftPerfect Network Scanner to gather information on targeted users, systems, and networks.
To evade detection, the threat actors employ living-off-the-land (LotL) techniques and PowerShell techniques with increasing complexity. A key component of some attacks is the “bring your own vulnerable driver” (BYOVD) technique, which applies vulnerable or signed drivers to kill and delete endpoint detection and response products.
Symantec’s Threat Hunter team recently investigated an attack against a healthcare entity and found that Medusa actors used custom-developed malicious tools like AVKill and POORTRY to bypass security software. The attackers also used RClone for data exfiltration and PsExec to issue commands remotely.
To mitigate the threat of Medusa ransomware, CISA, the FBI, and MS-ISAC recommend disabling command-line and scripting activities and permissions to limit LotL techniques. They note that privilege escalation and lateral movement often depend on software utilities running from the command line.
Source: https://www.cybersecuritydive.com/news/medusa-ransomware-slams-critical-infrastructure-organizations/742428