By Caique Barqueta: Considered one of the most active Ransomware groups of 2023, Medusa has become a constantly evolving operation, including the method used to publish the victims' leaked data, which it ends up publishing on its data leak site available on the onion network.
Sometimes we can end up confusing Ransomware operations, as there are at least two variants of groups that call themselves Medusa. To understand the difference, we need to describe a little about how they identify themselves and how they work.
MedusaLocker began operating in mid-September 2019 and, although there is no identification of how the ransomware was being distributed at the time, only a large number of variants uploaded to the ID Ransomware website have been verified. This variant used the name of the ransom note as "How_to_back_files.html".
Medusa has been identified as starting its campaign in mid-June 2021 and has a ransom note identified as "!!!RED_ME_MEDUSA!!!.txt" and a file extension of ".MEDUSA".
In addition to the ransomware mentioned, there is other malware that uses the Medusa name, such as Malware for Android and the Mirai-based BotNet, all of which call themselves Medusa.
MedusaLocker
As mentioned, the operation of the MedusaLocker ransomware group began in 2019 and after its initialization, it executed various routines so that the target computer or host would be prepared for encryption.
Initially, the Ransomware will change the value in the Windows Registry in EnableLinkedConnections in the key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System, setting it to 1. This step is carried out to ensure that the mapped drives are accessible to the process launched by the system's UAC.
The next step is to restart the LanmanWorkstation service to ensure that the Windows network is running and that the mapped network drives are accessible.
The ransomware will also search for and terminate processes to ensure that all data is closed and accessible for encryption:
| Wrapper | DefWatch | ccEvtMgr | ccSetMgr | SavRoam |
| sqlServr | Sqlagent | Sqladhlp | Culserver | RTVscan |
| Sqlbrowser | SQLADHLP | QBIDPService | Intuit.QUickBooks.FCS | QBCFMonitorService |
| Sqlwriter | Msmdsrv | Tomcat6 | Zhudongfangyu | SQLADHLP |
| Vmware-usbarbitator64 | Vmware-converter | Dbsrv12 | Dbeng8 | wxServer.exe |
| wxServerView | Sqlservr.exe | Sqlmangr.exe | RAgui.exe | Supervise.exe |
| Culture.exe | RTVscan.exe | Defwatch.exe | Sqlbrowser.exe | Winword.exe |
| QBW32.exe | Qbupdate.exe | QBCFMonitorService.exe | Axlbridge.exe | QBIDPService.exe |
| Httpd.exe | Fdlauncher.exe | MsDtSrvr.exe | Tomcat6.exe | Java.exe |
| 360se.exe | 360doctor.exe | Wdswfsafe.exe | Fdlauncher.exe | Fdhost.exe |
| GDscan.exe | ZhuDongFangyu.exe |
The ransomware also wipes Volume Shadow Copies so that files cannot be restored, removes backups made with the Windows service and disables automatic Windows startup repair using commands:
vssadmin.exe Delete Shadows /All /Quiet
wmic.exe SHADOWCOPY /nointeractive
bcdedit.exe /set {default} recoveryenabled No
bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
wbadmin DELETE SYSTEMSTATEBACKUP
wbadmin DELETE SYSTEMSTATEBACKUP -deleteOldest
MedusaLocker will start scanning all the drives on the device for files to encrypt. It will not encrypt files with the extensions .exe, .dll, .sys, .ini, .lnk, .rdp, .encrypted (or any other extension used for encrypted files), or files stored in folders:
| USERPROFILE PROGRAMFILES(x86) ProgramData \AppData WINDIR \Application Data \Program Files \Users\All Users \Windows \intel \nvidia |
Ransomware will use AES encryption for the files and then the AES key will be encrypted by an RSA-2048 public key, included in the ransomware payload.
For each encrypted file, some of the extensions below will be attached, as they may vary according to each variant and version:
| .encrypted .bomber .boroff .breakingbad .locker16 .newlock .nlocker .skynet |
Figure 1 - Files encrypted by MedusaLocker.
After encryption, the ransomware will "sleep or use the sleep function" for approximately 60 seconds and then scan the drives again for new files to encrypt.
When executed, the ransomware copies itself to PATH: %UserProfile%\AppData\Roaming\svchostt.exe and creates a scheduled task that starts the program every 30 minutes to remain persistent.
In each folder that the file is encrypted, MedusaLocker will create a ransom note called "HOW_TO_RECOVER_DATA.html" or Readme.html" which contains the contact information and e-mail addresses and payment instructions.
Figure 2 - MedusaLocker ransom note.
Therefore, at the time it was identified, it was highly destructive ransomware, which claimed several victims during its operation.
Medusa Ransomware
With regard to the sample obtained from the Medusa Ransomware, whose operation began in 2021, it was possible to verify that so far there are only samples for the Windows Operating System.
The ransomware payload is also configurable, i.e. it accepts certain command line arguments in which the threat actor can configure which files will be encrypted on the device, as shown below:
| Command/Argument Options | Description |
| -V | Get the version |
| -d | Don't delete yours |
| -f | Delete the system folder |
| -i | On the way |
| -k | Key file path |
| -n | Use on the Net |
| -p | Do not pre-process (pre-process = delete services and shadow copies) |
| -s | Delete system drive |
| -t | Write down the file path |
| -v | Show the console window |
| -w | Initial execution Powershell path (powershell -executionpolicy bypass -File %s) |
One example is that if the command line argument "-v" is used it will cause the ransomware to display a console showing status messages while encrypting a device.
Figure 3 - Console displayed by the Medusa Ransomware.
If run without setting any command line arguments, the Medusa Ransomware will shut down more than 280 Windows services and processes, which, if running, will jeopardize the execution and encryption of the Ransomware.
Ransomware will also delete Windows shadow volume copies to prevent restoration.
deletes shadow volume copies
vssadmin Delete Shadows /all /quiet
vssadmin resize shadowstorage /for=%s /on=%s /maxsize=unbounded
The encryption algorithm was identified as using AES-256 + RSA-2048 encryption via the BCrypt library. According to researchers, the method is different from the Medusa ransomware.
After encrypting the files, the Ransomware will add the extension ".MEDUSA" to the names of the encrypted files.
Figure 4 - Files encrypted by Medusa.
And in each folder the ransomware will create a folder containing a ransom note called "!!!READ_ME_MEDUSA!!!.txt" which contains information about what happened to the victim's files.
The ransom note will also include contact information for the extension, including a Tor data leak site, a Telegram channel, a Tox ID and the email address "key.medusa.serviceteam@protonmail.com".
Figure 5 - Medusa Ransomware Ransom Note.
In the next step, in order to prevent the restoration of backup files, the Medusa ransomware will execute the command below to delete locally stored files associated with backup programs such as Windows Backup and will also delete virtual hard disks (VHD) used by VMs.
del /s /f /q %s*.VHD %s*.bac %s*.bak %s*.wbcat %s*.bkf %sBackup*.* %sbackup*.* %s*.set %s*.win %s*.dskThe Medusa ransomware also has a data leak site on which it advertises the companies that have fallen victim, threatening to publish the files exfiltrated from the victims' environments.
Figure 6 - Screenshot of Medusa's file trading and publishing site.
In addition to the publication, the Medusa Ransomware threat actors began to create videos on the Vimeo platform in order to fully disclose the files extracted from the victim, even using a vignette in which it is possible to see that in addition to the encryption work (creation of the ransomware) they also have a certain "zeal" for the appearance of the data leak disclosures.
Figure 7 - Introduction to the Medusa data leak video.
Medusa botnet
Recently, a new version of the Medusa DDoS (distributed denial of service) botnet has returned, which was created based on the source code of the Mirai botnet, featuring a ransomware module and a Telnet brute force.
The Medusa malware is a variant of an older malware that has been advertised on darknet markets since 2015, adding HTTP-based DDoS capabilities in 2017.
The new variant is a continuation of the old strain of malware, and its latest version found in 2023 is based on the leaked source code of the Mirai botnet, inheriting its Linux targeting features and extensive DDoS attack options.
In addition, the malware is promoted as a MaaS (malware as a service) for DDoS or mining through a dedicated portal, promising service stability, customer anonymity, support, an easy-to-use API and adjustable cost based on specific needs.
Figure 8 - Medusa's MaaS website and advertisement.
Another fact observed is that the version has a Ransomware function, allowing it to search all directories for file types that are valid for encryption. The analysis was presented by Cyble, which listed and presented the target file types, including mainly documents and vector drawing files.
Figure 9 - Types of files targeted by Medusa.
Valid files are encrypted using AES-256 encryption and the extension ".medusastealer" is appended to the name of the encrypted files.
Figure 10 - Function of the Medusa ransomware malware.
However, the encryption method appears to be broken, turning the ransomware into a data wiper. After encrypting the files on the devices, the malware hibernates for 86,400 seconds (24 hours) and deletes all the files from the system drives.
Only after deleting the files does it display a ransom note requesting payment of 0.5 BTC, which is counterintuitive for a successful extortion attempt.
Figure 11 - Medusa's ransom note.
The researchers believe that this is an error in the code, as the destruction of the system units makes it impossible for the victims to use their systems and read the ransom note. This bug also indicates that the new variant of Medusa, or at least this feature, is still in development.
What's more, in this variant it doesn't steal the user's files before encryption, but instead collects basic system information that helps identify victims and estimate resources that can be used for mining and DDoS attacks.
Figure 12 - Data exfiltration from the breached system.
The malware also features brute force testing of usernames and passwords commonly used on Internet-connected devices, so if successful, it will attempt to download an additional payload that could not be retrieved and analyzed.
Next, the Medusa malware runs the "zmap" command to find other devices with Telnet services running on port 23 and tries to connect to them using the recovered IP addresses and a combination of usernames and passwords.
Finally, by establishing a Telnet connection, the malware infects the system with Medusa's primary payload ("infection_medusa_stealer").
Figure 13 - Telnet attack function.
Medusa's final payload also has incomplete support for receiving "FivemBackdoor" and "sshlogin" commands . However, this may show that the code is still under continuous development.
Conclusion
As you can see, the name "Medusa" is being used by various malware and ransomware groups, which present themselves as MedusaLocker, Medusa Ransomware or MaaS Medusa.
With its high destructive power, it has been observed that the Medusa Ransomware, for example, is being widely used for attacks on organizations globally, including in Latin America, in which ransoms run into the millions!
Recommendations
In addition to the indicators of compromise listed below by the ISH, measures may be adopted to mitigate the infection of this malware, for example:
- Regular backups: Store backup copies of all important data in a secure, disconnected location.
- Performing software updates: Keep all asset software up to date, including operating systems and applications.
- Use of network protection, such as firewalls, antivirus and other security measures to protect your network.
- Awareness-raising work with employees, teaching them how to recognize and avoid threats such as phishing and/or clicking on malicious links.
- Regular monitoring of your network and systems to identify and respond quickly to any suspicious activity.
Creation and application of an incident response plan, which in the case of ransomware attacks can be used and will contain information such as issues related to backups and system recovery.
Commitment Indicators
ISH Tecnologia handles a number of Indicators of Compromise collected through open and closed sources, as well as analysis carried out by the Heimdall security team. In view of this, below we list all the Indicators of Compromise (IOCs) related to the analysis of the artifact(s) in this report.
| Malicious/analyzed artifact compromise indicators | |
| md5: | 19ddac9782acd73f66c5fe040e86ddee |
| sha1: | 24ceba1e2951cde8e41939da21c6ba3030fc531d |
| sha256: | dde3c98b6a370fb8d1785f3134a76cb465cd663db20dffe011da57a4de37aa95 |
| File name: | svchostt.exe |
| Malicious/analyzed artifact compromise indicators | |
| md5: | 06ff220aea6c9e27fd1765f25b9e27fb |
| sha1: | fdf63523e9d0c27025d2df05de841e1079c974d4 |
| sha256: | 02d420c8ec7f6f944d053373e788f734b0a9a7b6c6d3bb07ade5a9728ed038af |
| File name: | svhost.exe |
| Malicious/analyzed artifact compromise indicators | |
| md5: | aa3684dd93b13628b626723bfe313dbc |
| sha1: | d2a08733f52ba0187dd43a45b7ea6953f69522bd |
| sha256: | 02f250a3df59dec575f26679ebd25de7c1d5b4d9d08016685f87a3628a393f92 |
| File name: | svchostt.exe |
| Malicious/analyzed artifact compromise indicators | |
| md5: | a80b79de02d6881d5e54afcefa38298a |
| sha1: | e0d3e2612a757ff5be818b114028a0e4bb562bc5 |
| sha256: | 033b4950a8f249b20eb86ec6f8f2ea0a1567bb164289d1aa7fb0ba51f9bbe46c |
| File name: | 64CO.exe |
| Malicious/analyzed artifact compromise indicators | |
| md5: | 87c5c72a57a08ca2f3bfac5485eb0fe6 |
| sha1: | 4d38a9aaa50bc35439054610bb45eb2298458404 |
| sha256: | 03df9dbf3fa35b88d948935e122a0217228ed7d1d3c892265791b55e38fae24c |
| File name: | Sh_1.8.2_2.exe |
| Malicious/analyzed artifact compromise indicators | ||
| md5: | c963b021bb8c55cacd4b830c67186232 | |
| sha1: | 58b69e090c23bbb16b656ee750f4e5a9aff246b2 | |
| sha256: | 03ebe8dc4828536fea08858fdfc3b53237eb514fe8cf6bc7134afb41b22f96a2 | |
| File name: | svhost.exe | |
| Malicious/analyzed artifact compromise indicators | ||
| md5: | da9d1a7d9a121cd33c22e22bc064ed80 | |
| sha1: | e612d668e95007c8991773e3a778411636dbd11c | |
| sha256: | 0432b4ad0f978dd765ac366f768108b78624dab8704e119181a746115c2bef75 | |
| Malicious/analyzed artifact compromise indicators | |
| md5: | 47d3b5d4e9a2ffb63b78c8a6a5dc5939 |
| sha1: | 5605157eae0ba33b13fe54745a68a9ceaa1e7216 |
| sha256: | 047afef95d0db82439c20da0bcd544af6d4b670f1417d7a4d51c940588d5e74c |
| Malicious/analyzed artifact compromise indicators | |
| md5: | 4660887b36d65e42b7d71d5e18187dfe |
| sha1: | 49ad1eecb9bbb8d736833006685b8c2c1300115b |
| sha256: | 05b51b5f41e483020d14126522a13c69b75e5cbb093a78980877bb60cf778873 |
| File name: | 64_MEcip3.exe |
| Malicious/analyzed artifact compromise indicators | |
| md5: | 776c3265856d049f8eba7b6e539328f7 |
| sha1: | ac4cb42d50b07a2ace5937d94e4f581ab6bbbf46 |
| sha256: | 0899dc78882197aa1fed57e1c76fc8bfac94475d58ea23722388de813ab6f65d |
| Malicious/analyzed artifact compromise indicators | |
| md5: | 7bd13614cc9bec4e996e315eefae7150 |
| sha1: | 00b0352233f29a8a9942a84c8dd9bf8cd44f72d4 |
| sha256: | 08bdbb7d507b7d9173b78ec8430882dac14a3c653cc41feb21bc2364f0e0b32f |
| Malicious/analyzed artifact compromise indicators | |
| md5: | a410f9ba08fd91c86da28a564852aa50 |
| sha1: | 55850587b950c6b9a07bf6f9a5e8b0dbadcb45be |
| sha256: | 08ce4d126715ecb4001d02e9eb1e10fb24c20b3a0c7ecc3a4170073caa93a44e |
| Malicious/analyzed artifact compromise indicators | |
| md5: | 0d2a9990e815349c4e6fa8573ccf5bda |
| sha1: | 52326d4bff0d80a045006f1a44de0e3a8f942557 |
| sha256: | 09198fa8250aef54bdc416ee2e223cc20bfcd88c5bec4aa29f815425e1744f26 |
| Malicious/analyzed artifact compromise indicators | |
| md5: | 50cb8959fad4a94b2c6927325e46306d |
| sha1: | 1db0f2a6e3415f49681ee56bba524e3ad4a3810e |
| sha256: | 0a82724cfb44769e69d75318b0868cd6de4aa789951362b3e86199e6c7922610 |
| File name: | svhost.exe |
| Malicious/analyzed artifact compromise indicators | |
| md5: | cc3652c078fa2bdfbbfae33335c30bda |
| sha1: | b3d3ad0c2c9d526717f55c431d51c2f1e957325b |
| sha256: | 0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad |
| Malicious/analyzed artifact compromise indicators | |
| md5: | f8efb1d4be09451e1e5fdbdcc6c4e51e |
| sha1: | a74dd8e31ee3229fe076168f3bd0da941fd2b345 |
| sha256: | 0bad6382f3e3c8bf90f4a141b344154f8f70e31a98f354b8ac813b9fcdaf48f7 |
| Malicious/analyzed artifact compromise indicators | |
| md5: | 6fa0eba23d16066944fa81e1bd50ae2a |
| sha1: | c764db086d8f21e64aedb469f69f202af1b2c5a0 |
| sha256: | 0c840606112df18bfa06d58195a0ed43715c56899445d55f55bc3789fde14ed9 |
| Malicious/analyzed artifact compromise indicators | |
| md5: | e63e41e15e86489a98dbeb2e6cb44e8a |
| sha1: | 5815d349a375f5cdf090ababcff86b3946ed6c07 |
| sha256: | 0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da |
| File name: | 2.exe |
| Malicious/analyzed artifact compromise indicators | |
| md5: | 1a2f56aa0186b98dc77f5f493cd592b4 |
| sha1: | fbf4c6cc257bd31c9c1628e805ce85b14284713a |
| sha256: | 0f3bc144689b4ba5a96b87f8ada895b0c7a283e72aa9c533d63d6959138ca531 |
| Malicious/analyzed artifact compromise indicators | |
| md5: | ec931ad8f9d14cb56ba08f53ecd06899 |
| sha1: | 1e0fefc24d52ea727a0cca157d71389744cad726 |
| sha256: | 0f58037bc1571e77b4d542ea7dbd91ffd1ea4c0d09898f78d679b1ed08fb51d7 |
| Malicious/analyzed artifact compromise indicators | |
| md5: | 6701070c21d3c6487c3e6291f2f0f1c9 |
| sha1: | 7219f91bd5fb94128159d18956e1bd9132bf10e0 |
| sha256: | 104ffe0cc10413b8c3dd04fdc921f07c3cc55efba9a63ccdccf45e4012151c5f |
| File name: | svchostt.exe |
| Malicious/analyzed artifact compromise indicators | |
| md5: | ed64d941fd8603196c0e31ae58c1992d |
| sha1: | 54c67bb062d73ae9fabf5f0e1e2136e05cb6e69b |
| sha256: | 2491bb75c8a3d3b8728ab46a933cd81f8176c1f9d7292faeecea67d71ce87b5c |
| File name: | medusa_stealer.x86 |
| Malicious/analyzed artifact compromise indicators | |
| md5: | e3a08ffb7106ece9612d3aa8078a8287 |
| sha1: | c059eec897c48b81cfc6a6765e176cc88231c31e |
| sha256: | 87b5ba7da8aa64721baca0421a01e01bb1f1ca8a2f73daa3ca2f5857e353c182 |
| File name: | medusa_stealer.sh |
| Malicious/analyzed artifact compromise indicators | |
| md5: | 336674857b5ede1e09daeff1a14adedc |
| sha1: | 088332f4ff6b6a12f094a429d6f60ec500d3d85b |
| sha256: | 2f2759b5933f06c9fdbc87ea941e8ef53ea0e3b715afd57de52ed2927d197c33 |
| File name: | clientv2.py |
| Malicious/analyzed artifact compromise indicators | |
| md5: | ed24c7c0b73887e35f1c12ab0dda98fe |
| sha1: | dc6ea04feb31eb9539f577d7965d0fb925dd7e52 |
| sha256: | bce94b214a6bae00b03ada34c66210d9143895d6c0be9e21c10e9951cc469fbf |
| File name: | clientv2.py |
| Malicious/analyzed artifact compromise indicators | |
| md5: | 14655930fab2319ff9cd5187a0caa242 |
| sha1: | 3bcbc498de18d91a1d05e428fa94e4145959fbd2 |
| sha256: | 48f5f09ddd7089a9397d26e219eb1a1a937c3238f7ecdc7cdfc5383141d77ad9 |
| File name: | clientv2.py |
| Malicious/analyzed artifact compromise indicators | |
| md5: | 1eee2293e51b01300c75b649715e472d |
| sha1: | b2134b18e827402378da09a8dcd9da92509e8131 |
| sha256: | 5799ee35a334f839bb666a0136ca2615390d0b7fb6a14875bafbfab3414045e9 |
| File name: | clientv2.py |
Distribution URLs and C2 IP addresses:
sambolero@tutanoa.com |
rightcheck@cock.li |
| hxxp://45.145.167[.]117/medusa_stealer.sh |
| jellyfish-stealer[.]cc |
Note: The links and IP addresses listed above may be active; be careful when manipulating these IoCs to avoid clicking on them and becoming a victim of the malicious content hosted on the IoC.
References
- Heimdall by ISH Tecnologia
- Information about MedusaLocker, Bleeping Computer
- Information about the Medusa Ransomware, Bleeping Computer
- Medusa Botnet based on Mirai, Cyble