Medusa attacks Principle Cleaning Services
Incident Date:
April 23, 2024
Overview
Title
Medusa attacks Principle Cleaning Services
Victim
Principle Cleaning Services
Attacker
Medusa
Location
First Reported
April 23, 2024
The Medusa Ransomware Group Strikes Principle Cleaning Services
Background
The Medusa ransomware group has reportedly compromised Principle Cleaning Services, a provider of corporate and commercial cleaning in London. Founded in 1989, Principle Cleaning Services has been an employee-owned company since 2023. The group has demanded a ransom of $1,000,000 and claims to have exfiltrated 220.58 GB of sensitive data, including invoices, personal documents, and employees’ data. A ransom deadline of 1 May has been set.
Medusa Ransomware Group
Medusa is a Ransomware-as-a-Service (RaaS) that emerged in the summer of 2021 and has become one of the more active RaaS platforms. The group's attack volumes were inconsistent in the first half of 2023 but saw a resurgence in the last half of the year. Medusa employs various tactics to avoid detection, such as restarting infected machines in safe mode, deleting local backups, disabling startup recovery options, and deleting VSS Shadow Copies to prevent encryption rollback.
Recent Activity
In the latter part of 2022, Medusa intensified its attacks and remained active in the first quarter of 2023. However, the group's activity seems to have decreased in the second quarter. Medusa typically demands ransoms in the millions of dollars, with the amount varying based on the target organization's financial capacity.
Modus Operandi
Medusa typically infiltrates victim networks through malicious email attachments (macros), torrent websites, or malicious ad libraries. The group can terminate over 280 Windows services and processes without command line arguments. While there may be a Linux version, it is currently unclear. Medusa targets various industries, with a focus on healthcare, pharmaceutical companies, and public sector organizations. The group also employs a double extortion scheme, exfiltrating data before encrypting it. However, Medusa is not as generous with its affiliate attackers, offering only up to 60% of the ransom if paid.
Recent Ransomware Attacks
The Recent Ransomware Attacks (RRA) site acts as a watchtower, providing you with near real-time ransomware tracking of attacks, groups and their victims. Given threat actors’ overarching, lucrative success so far, ransomware attacks have become the most ubiquitous, and financially and informationally impactful cyber threat to businesses and organizations today.
The site’s data is generated based on hosting choices of real-world threat actors, and a handful of other trackers. While sanitization efforts have been taken, we cannot guarantee 100% accuracy of the data. Attack updates will be made as source data is reported by reputable sources. By viewing, accessing, or using RRA you acknowledge you are doing so at your own risk.