Security researchers have successfully unmasked the true location of the Medusa Locker ransomware group’s infrastructure by exploiting a high-severity vulnerability in their blog platform.
The team was able to bypass Tor anonymization protections to reveal the actual IP address of servers hosting the group’s extortion site and negotiation portal.
According to Covsec analysis of the exposed infrastructure confirms the server is physically located in Saint Petersburg, Russia, and is being hosted by Selectel, one of Russia’s largest hosting providers.
Selectel has gained notoriety in cybersecurity circles for its cryptocurrency-friendly payment options, accepting both Bitcoin and Litecoin, which makes it attractive to threat actors seeking operational anonymity.
Technical Exploitation Reveals Critical OPSEC Failure
The de-anonymization was made possible through a sophisticated exploitation of vulnerabilities in the blog platform used by the Medusa operation.
By successfully escalating privileges within the compromised system, researchers were able to extract server information that revealed the true hosting location behind the Tor hidden service.
This represents a significant operational security failure for Medusa Locker, a ransomware group that has been actively targeting organizations since 2019.
The group has conducted hundreds of documented attacks with particular focus on high-value sectors including healthcare, education, and manufacturing.
The discovery provides rare insight into the technical infrastructure supporting major ransomware operations.
Typically, such groups employ multiple layers of anonymization technology to conceal their actual hosting locations, with Tor hidden services being a primary method to mask their true network addresses.
According to the Report, Medusa Locker operates using the double extortion model that has become standard among ransomware groups, maintaining a dedicated leak site on the Tor network where they publish exfiltrated data from victims who refuse to pay ransom demands.
This tactic applies additional pressure by threatening reputational damage alongside the operational impact of encrypted systems.
The identification of Russian hosting infrastructure adds further evidence to the growing body of research suggesting many major ransomware operations have connections to Russian territory, where they often operate with relative impunity from law enforcement action.
This research demonstrates that even sophisticated threat actors can make critical mistakes in their operational security, potentially exposing themselves to identification and disruption by security researchers and law enforcement agencies.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates
.webp?resize=1600,900&ssl=1&description=Security researchers have successfully unmasked the true location of the Medusa Locker ransomware group's infrastructure by exploiting.){kind=link}