Medusa Ransomware | Intel 471 Skip to content

Medusa Ransomware

Mar 21, 2023
Homepage Hero

Threat Description - Medusa Ransomware

Medusa Ransomware is a variant that was believed to have emerged in June 2021 and has been becoming increasingly prolific as of late. While “Medusa” has been a commonly used in the name of other ransomware, malware, and botnets, it is distinct from its similarly named competitors (such as MedusaLocker). The ransomware claims to exfiltrate data from compromised organizations to perform a "double-extortion attack", this is a type of attack in which the threat actor will not only encrypt compromised systems, but also sell or release the exfiltrated data publicly if a ransom is not met. Medusa Ransomware uses a .MEDUSA file extension for files it encrypts. Medusa Ransomware is considered to be an active threat, and thus poses a significant and present risk that should be ascertained and prepared for.

Threat Synopsis

Medusa Ransomware is a human-operated ransomware that was first observed in June 2021, and has recently come into the spotlight after a series of successful and high-profile attacks on corporate victims, including the Minneapolis Public School district. The group has demanded a $1 million ransom in exchange for the decryption key. Medusa Ransomware is distinct from other actors, malware, and ransomware that go by the same name, such as MedusaLocker or Medusa Botnet.

The ransomware shuts down over 280 Windows services and processes, including those for mail servers, backup servers, database servers, and security software, that may prevent files from being encrypted. Medusa then deletes Windows Shadow Volume Copies to prevent them from being used to recover files. The ransomware encrypts files with the AES-256 + RSA-2048 encryption using the BCrypt library, appends the .MEDUSA extension to encrypted file names, and creates a ransom note named !!!READ_ME_MEDUSA!!!.txt in each folder containing information about what happened to the victim's files. Medusa is different from the older MedusaLocker Ransomware in several ways, including the type of ransom notes they leave ("!!!READ_ME_MEDUSA!!!.txt") and the file extensions they use for encrypted files (".MEDUSA").

The ransomware claims to exfiltrate data from compromised organizations to perform a "double-extortion attack", this is a type of attack in which the threat actor will not only encrypt compromised systems, but also sell or release the exfiltrated data publicly on their leak site "Medusa Blog" if a ransom is not met. Due to Medusa Ransomware being a relatively new variant, and with additional information about it's campaign, targets, and any additional capabilities being discovered, Cyborg Security will be updating the Threat Hunt Packages as more information about it is released.