Search This Blog
Powered by Blogger.

Blog Archive

Labels

About Me

Load More
Trendy Right Now

Popular Posts

Showing posts with label Medusa Ransomware. Show all posts
Ransomwares
CISA & FBI CISA advisory Cyber Attacks Malwares Medusa Attacks Medusa Ransomware RaaS ransomware attacks ransomware-as-a-service (RaaS) Ransomwares

Medusa Ransomware Attacks: CISA, FBI, and MS-ISAC Issue #StopRansomware Advisory

 

The Cybersecurity and Infrastructure Security Agency (CISA), in partnership with the FBI and the Multi-State Information Sharing and Analysis Center (MS-ISAC), has issued a #StopRansomware advisory, warning organizations about the increasing threat of Medusa ransomware. 

Medusa, a ransomware-as-a-service (RaaS) variant, was first detected in 2021 and has since targeted over 300 victims across multiple critical infrastructure sectors. Industries such as healthcare, law, education, insurance, technology, and manufacturing have been particularly affected, highlighting the wide reach and severity of the ransomware’s impact. Medusa initially operated as a closed ransomware variant, meaning its developers had full control over its deployment and operations. 

Over time, it transitioned to an affiliate-based model, allowing external cybercriminals to use the ransomware while keeping certain aspects, such as ransom negotiations, under the control of the original developers. This shift has allowed Medusa to expand its reach, increasing its effectiveness as a cyber threat. Medusa demands ransoms ranging from $100,000 to as much as $15 million. 

Like many modern ransomware variants, it employs double extortion tactics—stealing sensitive data before encrypting victim networks. This strategy puts additional pressure on victims, as attackers can threaten to leak or sell stolen data if the ransom is not paid. Cybersecurity researchers from Symantec’s Threat Hunter team recently reported a rise in Medusa-related attacks over the past year. 

Medusa’s developers use initial access brokers (IABs) to gain entry into victim networks. These brokers operate within cybercriminal forums and marketplaces, selling access to compromised systems for amounts ranging from $100 to $1 million. Medusa affiliates rely on phishing campaigns and vulnerability exploitation to gain initial access, making it crucial for organizations to bolster their email security and patch known vulnerabilities. Once inside a system, Medusa operators use “living-off-the-land” (LotL) techniques, leveraging legitimate system tools to evade detection while conducting reconnaissance, data theft, and lateral movement.

Given Medusa’s evolving tactics, cybersecurity experts stress the importance of proactive defense measures. Organizations should deploy security patches, implement network segmentation, and restrict access to critical services from untrusted sources. Dan Lattimer, area vice president for Semperis in the UK and Ireland, emphasized the need for an “assumed breach” mindset, urging companies to shift from a prevention-focused approach to rapid detection, response, and recovery. 

As ransomware attacks grow more sophisticated, organizations must remain vigilant, continuously updating their cybersecurity strategies to mitigate risks and strengthen their defenses against threats like Medusa.
Read more »
Ransomware
CSA cyber attack Cyber Attacks Dark Web Medusa Ransomware Ransomware

Medusa Ransomware Group Takes Ownership for Cyber-attack on Canadian Psychological Association

Medusa ransomware

The Canadian Psychological Association (CPA), the main official body for psychologists in Canada, is said to have been the target of a cyberattack by the infamous Medusa ransomware group. 

The recent incident points out the rising risk posed by threat actors demanding confidential data from enterprises. The CPA, founded in 1939 and registered under the Canada Corporations Act in May 1950, is currently dealing with the fallout from this breach.

The cyberattack on the Canadian Psychological Association

Medusa, an infamous cyber threat actor, took involvement in the CPA attack. On its dark web channel, "MEDUSA BLOG," the gang released details of the Canadian Psychological Association data breach, adding a countdown timer to put heat to the situation at hand. 

They have issued deadlines, seeking $10,000 to postpone the release of hacked info for another day, and a whopping $200,000 to completely delete the data, which may then be retrieved again.

The CPA has yet to publish an official comment or statement in response to the Canadian Psychological Association data leak.

Victims of Medusa Ransomware group

This cyberattack on the CPA is not a single incident. The Minneapolis Public School (MPS) District suffered a massive ransomware attack. In this instance, highly sensitive data regarding children and teachers was revealed on the internet, including complaints of abuse and psychological reports.

MPS initially declined to pay a $1 million ransom, and their encrypted systems were successfully restored using backups. The Medusa hacker gang, on the other hand, had not only encrypted the data but also exfiltrated their own copy, which they then published on the web and promoted via links on a Telegram channel.

Let’s try to understand MedusaLocker ransomware

MedusaLocker Ransomware was discovered in September 2019 and mostly attacks Windows devices via SPAM. This malware has unusual characteristics, such as booting into safe mode before action and file encryption. Depending on the version, it uses BAT files or PowerShell. Due to changes made by the current edition, the infected machine may suffer issues at boot-up.

After initial access, MedusaLocker grows over a network by launching a PowerShell script via a batch file. It deactivates security and forensic applications, restarts the machine in safe mode to avoid getting caught, and then locks files with AES-256 encryption. In addition, it disables start-up recovery, disables local backups, and leaves a ransom notice in every folder holding compromised data.

Read more »
Medusa Ransomware
AT Auckland Transport Auckland Transport attack Cyber Attacks DDOS Attack Medusa Attacks Medusa Ransomware

Auckland Transport Suffers Another Ransomware Attack, Mobile App and Website Affected


Official website of Auckland Transport has suffered another cyberattack where their mobile app and live departure displays have been compromised. 

The spokesperson for Auckland Transport (AT) said they believed this attack was is in fact linked to the most recent one, in which a ransomware gang known as Medusa demanded a US $1 million ransom and threatened to post AT's data online if it was not paid.

“The current issue is a malicious attempt to disrupt the traffic to our website, by overwhelming it with a flood of internet traffic - a distributed denial-of-service attack,” the spokesperson stated. “Customers are experiencing intermittent issues accessing our website, AT Mobile App, AT Park, Journey Planner and public information displays[…]We are working to maintain security and access to our website but anticipate these issues unfortunately may be ongoing for some time.”

AT further confirmed that it is “confident” that no customer data or financial details have been stolen.

Medusa's Attack on AT

AT was attacked by the Medusa ransomware gang on September 14. Dean Klimpton, the CEO of AT, responded to a Herald report on Medusa's attack where the attackers had threatened to post AT data on the dark web if a US$1 million ($1.7 million) ransom was not paid. 

“AT is aware that Medusa has publicly announced a ransom for data,” Klimpton said. “We have no interest in engaging with this illegal and malicious activity,” he added.

Klimpton further notes that there is a sign indicating that personal or financial data has been compromised in the September attack.

DDoS Attack

A distributed denial of service (DDoS) attack involves an army of bots that gain access to a website simultaneously, preventing ordinary users from accessing it. 

A distributed denial of service (DDoS) attack involves an army of bots that try to access a website simultaneously, overwhelming it and rendering it inaccessible to regular users. Cybersecurity professionals compared it to sheep blocking a country road. Users are blocked, but no data is at risk.

The DDoS attack this afternoon is Medusa's vengeful response to AT's unwillingness to pay the cyber ransom; it poses no harm to any data.

Also, AT’s app suffered an outage earlier this morning, however AT claims that it was just a regular glitch that was not related to the cyberattack.  According to Brett Callow, a threat analyst with the New Zealand-based security company Emsisoft, on August 14 Medusa launched a DDoS attack against Levare International. This company produces prosthetic limbs in Dubai.

Though Medusa originally appeared in 2021, it was not until this year that the ransomware group made headlines.

According to Callow, the organization has taken credit for assaults against the Minneapolis Public School System, Tonga Communications, and the Crown Princess Mary Cancer Centre in Australia, which resulted in the release of private student and teacher records.

Ransomware gangs are often situated in Eastern Europe or Russia due to a combination of computer skills and authorities that are frequently unwilling to cooperate with Western agencies. The location of the gang's base of operations is currently unknown.  

Read more »
Medusa Ransomware
CNV Cyber Security Cyberattacks CyberCrime Financial Institutions Medusa Ransomware

Critical Financial Institutions Under Siege: Argentina's Securities Commission Hit by Medusa Ransomware

 


 
The Health Sector Cybersecurity Coordination Center (HC3) has issued a warning to healthcare providers in its new analyst note regarding the MedusaLocker ransomware, the latest variant used to encrypt healthcare systems. 

Interestingly, while the Medusa operation was launched in June 2021, a relatively low level of activity was observed, with not many victims. However, the ransomware gang increased its activity in 2023 and launched a blog called the Medusa Blog. This blog was designed to help victims who refused to pay the ransom.

MedusaLocker must rank under some of the more widely known ransomware variants, such as Royal and Clop. These variants have recently been used against healthcare systems. The system, as it stands, is capable of causing significant damage if left unattended for a long period. 

The MedusaLocker ransomware program was first detected in September 2019 and since then it has become one of the primary targets of healthcare. In particular, the group was able to infiltrate systems by taking advantage of confusion over the COVID-19 pandemic. As a managed service provider, the company provides ransomware as a service (RaaS) to its customers. 

There was a huge ransomware attack on the National Securities Commission last Wednesday, resulting in a $100,000 loss. In this case, Medusa gained access to computers on the agency's network. The agency's systems hosted thousands of documents and databases and the hacking group obtained them. In a statement released Sunday afternoon, authorities said the breach was contained. 

The hackers stated that if they did not receive a payment of US$500,000 within a week, they would release 1.5 terabytes of confidential financial information to the public. According to a press release issued by the CNV, the ransomware attack was effectively "isolated and contained" as the public health agency stated that it had prevented the virus from harming any other computers within the organization. 

Medusa has captured several government computers, according to a press release sent out by CNV. In addition, various government websites have been taken down. A report in the publication stated that "the acting protocol helped isolate the computers from anyone outside of the organization." 

After claiming responsibility for an attack on Minneapolis Public Schools (MPS) this week, Medusa was reported to have garnered media attention after sharing a video showing stolen data that had been stolen from the district. 

Even though the CNV intends to press charges for the justice system to investigate what caused the attack and who was responsible, the press release states that they intend to press charges. 

A ransomware attack occurs when a computer runs programs designed to encrypt files on the victim's machine. As a result of the attack, the files are encrypted, and the attacker asks the victim to pay a ransom in exchange for the key to unlock them.  

First surfacing in June 2021, Medusa ransomware has quickly expanded to target corporations, often demanding ransoms ranging from $10,000 to $1,000,000, and started targeting many companies. Hackers have created a blog where they publish the data of victims who refuse to pay the ransom so that the hacker community can learn about it.

Upon receiving US$500,000 from the agency within a week of the theft, the group threatened to release the stolen CNV information on the platform. 

Despite the devastating damage caused by a ransomware attack on Argentina's Securities Commission on Tuesday, authorities have managed to contain the breach, prevent further proliferation of the malware, and contain any further spread of the infection. A ransom demand of $500,000 has been put forth by the hackers behind Medusa, threatening that if they do not receive their demand, 1.5 terabytes of financial information will be released publicly. 

There have been immediate steps taken by the commission to isolate and protect the system, but they are also laying the groundwork for legal action to identify the perpetrators and bring them to justice. A critical financial institution's cyber security measures need to be heightened to combat the increasing threat of ransomware attacks and to prevent data breaches shortly.
Read more »
Subscribe to: Posts (Atom)