Full Report
U.S. agencies have released a collaborative cybersecurity advisory detailing the tactics, techniques, and procedures (TTPs), indicators of compromise... The post US exposes Medusa ransomware threat, as over 300 organizations targeted across critical infrastructure sector appeared first on Industrial Cyber.
Analysis Summary
# Incident Report: Medusa Ransomware Campaign Analysis
## Executive Summary
This report summarizes the activities of the Medusa Ransomware-as-a-Service (RaaS) operation, first detected in June 2021 and actively targeting critical infrastructure sectors through February 2025, impacting over 300 victims. Attackers utilize initial access brokers (IABs) to gain entry, often via phishing or exploiting unpatched vulnerabilities (like ScreenConnect and Fortinet EMS), and employ a double extortion model involving encryption and data exfiltration. The joint response from U.S. agencies provided comprehensive advisories outlining TTPs and mitigation strategies focusing on hardening remote access and improving recovery capabilities.
## Incident Details
- **Discovery Date:** June 2021 (First detection, ongoing monitoring since)
- **Incident Date:** 2021 to Present (Active campaigning)
- **Affected Organization:** Over 300 victims disclosed as of Feb 2025
- **Sector:** Medical, Education, Law, Insurance, Technology, Manufacturing, Critical Infrastructure
- **Geography:** Not explicitly limited, but US agencies issued the advisory.
## Timeline of Events
### Initial Access
- **Date/Time:** Ongoing since 2021
- **Vector:** Initial Access Brokers (IABs) contracted by developers.
- **Details:** Phishing campaigns and exploitation of unpatched software vulnerabilities (e.g., ScreenConnect, Fortinet EMS SQL Injection).
### Lateral Movement
- **Details:** Attackers use legitimate remote access tools (AnyDesk, Atera, ConnectWise, Splashtop, etc.) combined with RDP and PsExec to traverse the network. Initial enumeration uses LOTL tools like Advanced IP Scanner and SoftPerfect Network Scanner, followed by PowerShell, cmd.exe, and WMI for deeper discovery.
### Data Exfiltration/Impact
- **Details:** The group employs a double extortion model: data is encrypted, and exfiltrated data is held hostage with threats of public release. Ransom demands have exceeded $40 million cumulatively, with many individual demands surpassing $1 million in 2024.
### Detection & Response
- **Details:** Incidents were tracked and analyzed collaboratively by CISA, FBI, and MS-ISAC, culminating in a joint cybersecurity advisory detailing TTPs and IOCs. Response focuses on implementing CISA Cross-Sector Cybersecurity Performance Goals (CPGs).
## Attack Methodology
- **Initial Access:** Phishing, Exploiting CVEs (ScreenConnect, Fortinet EMS).
- **Persistence:** Use of legitimate remote access tools tailored to the victim environment to maintain a foothold.
- **Privilege Escalation:** Not explicitly detailed, but implied through standard lateral movement techniques.
- **Defense Evasion:** Use of legitimate/common remote access software (AnyDesk, Atera) and Living Off The Land (LOTL) binaries/scripts. Disabling Windows Defender and other antivirus services.
- **Credential Access:** Accomplished primarily through phishing campaigns targeting victim credentials.
- **Discovery:** Network/system enumeration using Advanced IP Scanner, SoftPerfect Network Scanner, PowerShell, cmd.exe, and WMI. Scanned/targeted ports include FTP, SSH, Telnet, HTTP, HTTPS, SQL, RDP.
- **Lateral Movement:** Use of legitimate tools such as AnyDesk, ConnectWise, RDP, and PsExec.
- **Collection:** Network and filesystem enumeration using PowerShell and cmd\[dot\]exe; Ingress Tool Transfer capabilities utilized.
- **Exfiltration:** Use of Rclone to transfer exfiltrated data to Medusa C2 servers.
- **Impact:** Encryption of files across the network using the `gaze.exe` encryptor, deployed via PsExec, PDQ Deploy, or BigFix.
## Impact Assessment
- **Financial:** Ransom demands surpassing $40 million cumulatively; some demands exceeded $1 million in 2024.
- **Data Breach:** Exfiltration of sensitive data utilized in double extortion tactics.
- **Operational:** Business disruption due to widespread file encryption.
- **Reputational:** Damage associated with public disclosure of data breaches and involvement in major ransomware incidents.
## Indicators of Compromise
*(Note: Specific IOCs such as IPs and URLs are generally defanged or omitted as per instruction, focusing on behavioral indicators per the analysis)*
- **Network indicators:** Use of legitimate remote access software communicating externally.
- **File indicators:** Encryptor file observed: `gaze.exe`.
- **Behavioral indicators:** Unauthorized use of Rclone for data staging/exfiltration; disabling of security software (Windows Defender).
## Response Actions
- **Containment:** Not explicitly detailed, but implied through security hardening advice.
- **Eradication:** Disabling malicious remote access tools and cleaning compromised systems.
- **Recovery:** Implementing a comprehensive recovery plan, maintaining offline, immutable, and encrypted backups. Enforcement of multifactor authentication (MFA).
## Lessons Learned
- The RaaS model (Medusa Developers controlling ransom negotiation) allows for widespread, consistent, and high-impact attacks across diverse sectors.
- Initial Access Brokers (IABs) remain a critical entry point for sophisticated ransomware operators.
- Reliance on common remote administration tools creates a significant blind spot exploited by threat actors for persistence and evasion.
## Recommendations
- Mandate NIST-compliant password logins and enforce Multifactor Authentication (MFA) across all accounts.
- Utilize VPNs or Jump Hosts for all secure remote access.
- Filter network traffic to block unknown/untrusted sources accessing internal system remote services.
- Audit user accounts, enforce the principle of least privilege, and review configurations for domain controllers, servers, and workstations.
- Disable unnecessary command-line/scripting permissions where possible.
- Maintain offline, immutable, and encrypted backups with regularly tested restoration procedures.
- Proactively scan for and patch known vulnerabilities exploited by threat groups (e.g., ScreenConnect, Fortinet EMS).