Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Medusa Ransomware. Show all posts

Medusa Ransomware Group Takes Ownership for Cyber-attack on Canadian Psychological Association

Medusa ransomware

The Canadian Psychological Association (CPA), the main official body for psychologists in Canada, is said to have been the target of a cyberattack by the infamous Medusa ransomware group. 

The recent incident points out the rising risk posed by threat actors demanding confidential data from enterprises. The CPA, founded in 1939 and registered under the Canada Corporations Act in May 1950, is currently dealing with the fallout from this breach.

The cyberattack on the Canadian Psychological Association

Medusa, an infamous cyber threat actor, took involvement in the CPA attack. On its dark web channel, "MEDUSA BLOG," the gang released details of the Canadian Psychological Association data breach, adding a countdown timer to put heat to the situation at hand. 

They have issued deadlines, seeking $10,000 to postpone the release of hacked info for another day, and a whopping $200,000 to completely delete the data, which may then be retrieved again.

The CPA has yet to publish an official comment or statement in response to the Canadian Psychological Association data leak.

Victims of Medusa Ransomware group

This cyberattack on the CPA is not a single incident. The Minneapolis Public School (MPS) District suffered a massive ransomware attack. In this instance, highly sensitive data regarding children and teachers was revealed on the internet, including complaints of abuse and psychological reports.

MPS initially declined to pay a $1 million ransom, and their encrypted systems were successfully restored using backups. The Medusa hacker gang, on the other hand, had not only encrypted the data but also exfiltrated their own copy, which they then published on the web and promoted via links on a Telegram channel.

Let’s try to understand MedusaLocker ransomware

MedusaLocker Ransomware was discovered in September 2019 and mostly attacks Windows devices via SPAM. This malware has unusual characteristics, such as booting into safe mode before action and file encryption. Depending on the version, it uses BAT files or PowerShell. Due to changes made by the current edition, the infected machine may suffer issues at boot-up.

After initial access, MedusaLocker grows over a network by launching a PowerShell script via a batch file. It deactivates security and forensic applications, restarts the machine in safe mode to avoid getting caught, and then locks files with AES-256 encryption. In addition, it disables start-up recovery, disables local backups, and leaves a ransom notice in every folder holding compromised data.

Auckland Transport Suffers Another Ransomware Attack, Mobile App and Website Affected


Official website of Auckland Transport has suffered another cyberattack where their mobile app and live departure displays have been compromised. 

The spokesperson for Auckland Transport (AT) said they believed this attack was is in fact linked to the most recent one, in which a ransomware gang known as Medusa demanded a US $1 million ransom and threatened to post AT's data online if it was not paid.

“The current issue is a malicious attempt to disrupt the traffic to our website, by overwhelming it with a flood of internet traffic - a distributed denial-of-service attack,” the spokesperson stated. “Customers are experiencing intermittent issues accessing our website, AT Mobile App, AT Park, Journey Planner and public information displays[…]We are working to maintain security and access to our website but anticipate these issues unfortunately may be ongoing for some time.”

AT further confirmed that it is “confident” that no customer data or financial details have been stolen.

Medusa's Attack on AT

AT was attacked by the Medusa ransomware gang on September 14. Dean Klimpton, the CEO of AT, responded to a Herald report on Medusa's attack where the attackers had threatened to post AT data on the dark web if a US$1 million ($1.7 million) ransom was not paid. 

“AT is aware that Medusa has publicly announced a ransom for data,” Klimpton said. “We have no interest in engaging with this illegal and malicious activity,” he added.

Klimpton further notes that there is a sign indicating that personal or financial data has been compromised in the September attack.

DDoS Attack

A distributed denial of service (DDoS) attack involves an army of bots that gain access to a website simultaneously, preventing ordinary users from accessing it. 

A distributed denial of service (DDoS) attack involves an army of bots that try to access a website simultaneously, overwhelming it and rendering it inaccessible to regular users. Cybersecurity professionals compared it to sheep blocking a country road. Users are blocked, but no data is at risk.

The DDoS attack this afternoon is Medusa's vengeful response to AT's unwillingness to pay the cyber ransom; it poses no harm to any data.

Also, AT’s app suffered an outage earlier this morning, however AT claims that it was just a regular glitch that was not related to the cyberattack.  According to Brett Callow, a threat analyst with the New Zealand-based security company Emsisoft, on August 14 Medusa launched a DDoS attack against Levare International. This company produces prosthetic limbs in Dubai.

Though Medusa originally appeared in 2021, it was not until this year that the ransomware group made headlines.

According to Callow, the organization has taken credit for assaults against the Minneapolis Public School System, Tonga Communications, and the Crown Princess Mary Cancer Centre in Australia, which resulted in the release of private student and teacher records.

Ransomware gangs are often situated in Eastern Europe or Russia due to a combination of computer skills and authorities that are frequently unwilling to cooperate with Western agencies. The location of the gang's base of operations is currently unknown.  

Critical Financial Institutions Under Siege: Argentina's Securities Commission Hit by Medusa Ransomware

 


 
The Health Sector Cybersecurity Coordination Center (HC3) has issued a warning to healthcare providers in its new analyst note regarding the MedusaLocker ransomware, the latest variant used to encrypt healthcare systems. 

Interestingly, while the Medusa operation was launched in June 2021, a relatively low level of activity was observed, with not many victims. However, the ransomware gang increased its activity in 2023 and launched a blog called the Medusa Blog. This blog was designed to help victims who refused to pay the ransom.

MedusaLocker must rank under some of the more widely known ransomware variants, such as Royal and Clop. These variants have recently been used against healthcare systems. The system, as it stands, is capable of causing significant damage if left unattended for a long period. 

The MedusaLocker ransomware program was first detected in September 2019 and since then it has become one of the primary targets of healthcare. In particular, the group was able to infiltrate systems by taking advantage of confusion over the COVID-19 pandemic. As a managed service provider, the company provides ransomware as a service (RaaS) to its customers. 

There was a huge ransomware attack on the National Securities Commission last Wednesday, resulting in a $100,000 loss. In this case, Medusa gained access to computers on the agency's network. The agency's systems hosted thousands of documents and databases and the hacking group obtained them. In a statement released Sunday afternoon, authorities said the breach was contained. 

The hackers stated that if they did not receive a payment of US$500,000 within a week, they would release 1.5 terabytes of confidential financial information to the public. According to a press release issued by the CNV, the ransomware attack was effectively "isolated and contained" as the public health agency stated that it had prevented the virus from harming any other computers within the organization. 

Medusa has captured several government computers, according to a press release sent out by CNV. In addition, various government websites have been taken down. A report in the publication stated that "the acting protocol helped isolate the computers from anyone outside of the organization." 

After claiming responsibility for an attack on Minneapolis Public Schools (MPS) this week, Medusa was reported to have garnered media attention after sharing a video showing stolen data that had been stolen from the district. 

Even though the CNV intends to press charges for the justice system to investigate what caused the attack and who was responsible, the press release states that they intend to press charges. 

A ransomware attack occurs when a computer runs programs designed to encrypt files on the victim's machine. As a result of the attack, the files are encrypted, and the attacker asks the victim to pay a ransom in exchange for the key to unlock them.  

First surfacing in June 2021, Medusa ransomware has quickly expanded to target corporations, often demanding ransoms ranging from $10,000 to $1,000,000, and started targeting many companies. Hackers have created a blog where they publish the data of victims who refuse to pay the ransom so that the hacker community can learn about it.

Upon receiving US$500,000 from the agency within a week of the theft, the group threatened to release the stolen CNV information on the platform. 

Despite the devastating damage caused by a ransomware attack on Argentina's Securities Commission on Tuesday, authorities have managed to contain the breach, prevent further proliferation of the malware, and contain any further spread of the infection. A ransom demand of $500,000 has been put forth by the hackers behind Medusa, threatening that if they do not receive their demand, 1.5 terabytes of financial information will be released publicly. 

There have been immediate steps taken by the commission to isolate and protect the system, but they are also laying the groundwork for legal action to identify the perpetrators and bring them to justice. A critical financial institution's cyber security measures need to be heightened to combat the increasing threat of ransomware attacks and to prevent data breaches shortly.