The Rise of Medusa Ransomware Gang

Background

The Medusa ransomware gang has recently targeted Ted Brown Music, a family-owned music store established in 1931. The attackers have exfiltrated 29.4GB of data and are demanding a ransom within seven days, threatening to publish the information if not paid.

Modus Operandi

Medusa, a Ransomware-as-a-Service (RaaS) platform, emerged in the summer of 2021 and has become increasingly active. The group employs tactics such as restarting infected machines in safe mode to evade security software, deleting backups, and disabling recovery options to prevent encryption rollback.

Attack Trends

While attack volumes were inconsistent in the first half of 2023, there was a resurgence of activity in the latter half of the year. Medusa has targeted various industries, with a focus on healthcare, pharmaceutical companies, and public sector organizations. The group typically demands ransoms in the millions of dollars, tailored to the victim's ability to pay.

Double Extortion Scheme

Medusa utilizes a double extortion scheme, exfiltrating data before encryption. However, the group is not as generous with their affiliate attackers, offering only up to 60% of the ransom if paid.

Prevention Measures

To protect against Medusa and similar threats, organizations should be vigilant against malicious email attachments, torrent websites, and malicious ad libraries. Regularly backing up data and implementing robust cybersecurity measures are essential in mitigating the risk of ransomware attacks.