The risk actors related to the Medusa ransomware have ramped up their actions following the debut of a devoted information leak website on the darkish net in February 2023 to publish delicate information of victims who’re unwilling to comply with their calls for.

“As a part of their multi-extortion technique, this group will present victims with a number of choices when their information is posted on their leak website, reminiscent of time extension, information deletion or obtain of all the info,” Palo Alto Networks Unit 42 researchers Anthony Galiette and Doel Santos stated in a report shared with The Hacker Information.

“All of those choices have a price ticket relying on the group impacted by this group.”

Medusa (to not be confused with Medusa Locker) refers to a ransomware household that appeared in late 2022 earlier than coming into prominence in 2023. It is identified for opportunistically concentrating on a variety of industries reminiscent of excessive expertise, training, manufacturing, healthcare, and retail.

As many as 74 organizations, principally within the U.S., the U.Okay., France, Italy, Spain, and India, are estimated to have been impacted by the ransomware in 2023.

Ransomware assaults orchestrated by the group start with the exploitation of internet-facing property or purposes with identified unpatched vulnerabilities and hijacking of reliable accounts, usually using preliminary entry brokers to acquire a foothold to focus on networks.

In a single occasion noticed by the cybersecurity agency, a Microsoft Alternate Server was exploited to add an internet shell, which was then used as a conduit to put in and execute the ConnectWise distant monitoring and administration (RMM) software program.

A notable facet of the infections is the reliance on living-off-the-land (LotL) methods to mix in with reliable exercise and sidestep detection. Additionally noticed is the usage of a pair of kernel drivers to terminate a hard-coded checklist of safety merchandise.

The preliminary entry part is adopted by discovery and reconnaissance of the compromised community, with the actors finally launching the ransomware to enumerate and encrypt all recordsdata save for these with the extensions .dll, .exe, .lnk, and .medusa (the extension given to the encrypted recordsdata).

For every compromised sufferer, Medusa’s leak website shows details about the organizations, ransom demanded, the period of time left earlier than the stolen information is launched publicly, and the variety of views in a bid to exert stress on the corporate.

The actors additionally supply completely different selections to the sufferer, all of which contain some type of extortion to delete or obtain the pilfered information and search a time extension to forestall the info from being launched.

As ransomware continues to be a rampant risk, concentrating on tech corporations, healthcare, crucial infrastructure, and every part in between, the risk actors behind it are getting extra brazen with their ways, going past publicly naming and shaming organizations by resorting to threats of bodily violence and even devoted public relations channels.

“Ransomware has modified many sides of the risk panorama, however a key current growth is its rising commoditization and professionalization,” Sophos researchers stated final month, calling ransomware gangs “more and more media-savvy.”

Medusa, per Unit 42, not solely has a media crew to seemingly deal with their branding efforts, but in addition leverages a public Telegram channel named “info help,” the place recordsdata of compromised organizations are shared and will be accessed over the clearnet. The channel was arrange in July 2021.

“The emergence of the Medusa ransomware in late 2022 and its notoriety in 2023 marks a big growth within the ransomware panorama,” the researchers stated. “This operation showcases complicated propagation strategies, leveraging each system vulnerabilities and preliminary entry brokers, whereas adeptly avoiding detection by means of living-off-the-land methods.”

The event comes as Arctic Wolf Labs publicized two instances through which victims of Akira and Royal ransomware gangs have been focused by malicious third-parties posing as safety researchers for secondary extortion makes an attempt.

“Risk actors spun a story of attempting to assist sufferer organizations, providing to hack into the server infrastructure of the unique ransomware teams concerned to delete exfiltrated information,” safety researchers Stefan Hostetler and Steven Campbell stated, noting the risk actor sought about 5 bitcoin in change for the service.

It additionally follows a brand new advisory from the Finnish Nationwide Cyber Safety Centre (NCSC-FI) a few spike in Akira ransomware incidents within the nation in the direction of the top of 2023 by exploiting a safety flaw in Cisco VPN home equipment (CVE-2023-20269, CVSS rating: 5.0) to breach home entities.