Heloise Montini
Heloise Montini is a content writer whose background in journalism make her an asset when researching and writing tech content. Also, her personal aspirations in creative writing and PC gaming make her articles on data storage and data recovery accessible for a wide audience.
Laura Pompeu
With 10 years of experience in journalism, SEO & digital marketing, Laura Pompeu uses her skills and experience to manage (and sometimes write) content focused on technology and business strategies.
Bogdan Glushko
CEO at SalvageData Recovery, Bogdan Glushko has over 18 years of experience in high-security data recovery. Over the years, he's been able to help restore data after logical errors, physical failures, or even ransomware attacks, for individuals, businesses, and government agencies alike.
I think there's an issue with my storage device, but I'm not sure Start a free evaluation →
I need help getting my data back right now Call now (800) 972-3282
Medusa is a type of ransomware that encrypts data and appends the “.MEDUSA” extension to filenames. It was first observed in June 2021 and is considered an active threat. The Medusa ransomware gang has been targeting corporate victims worldwide with million-dollar ransom demands.
Medusa ransomware appears to operate as a Ransomware-as-a-Service (RaaS) model where developers work with global affiliates and share the profits.
In March 2023 Medusa attacked the Minneapolis school district. The gang demanded a $1 million ransom from the district to delete the data allegedly stolen. Since the district did not pay (which is the right course of action) the stolen data was made available on the darknet website of the gang.
What kind of malware is Medusa?
Medusa is ransomware, a type of malware that encrypts and locks the victims’ files and then requests a ransom in exchange for the decryption key. This seems to be Ransomware as a Service (RaaS) type of malware. This means that affiliates have their own ransom note and file extension. However, every Medusa attack works the same way to compromise the network and encrypt the data.
Medusa ransomware overviews
Confirmed Name
- MEDUSA virus
Threat Type
- Ransomware
- Crypto Virus
- Files locker
Encrypted Files Extension
- .MEDUSA
Ransom Demanding Message
- !!!READ_ME_MEDUSA!!!.txt
Is There a Free Decryptor Available?
- No, there’s no public decryption key for Medusa
Detection Names
- Avast Win32:RansomX-gen [Ransom]
- Emsisoft Gen:Heur.Ransom.REntS.Gen.1 (B)
- Kaspersky Trojan.Win32.AntiAV.dadw
- Malwarebytes Ransom.Medusa
- Sophos Mal/Generic-S
Symptoms
- Cannot open files stored on your computer
- New file extensions
- A ransom demand message on your desktop
- Files renamed with random letters
Ransomware family, type & variant
- Medusa is a Ransomware as a Service (RaaS) malware type.
- There are several variants of the Medusa ransomware.
Distribution methods
- Infected email attachments (phishing emails)
- External Remote Services (RDP)
- Torrent websites (infected links or files)
- Malicious ads (malvertising)
Consequences
- Locked files
- Stolen passwords
- Deleted shadow copy backup
Prevention
- Antivirus and anti-malware
- Updated software
- Updated operating system (OS)
- Firewalls
- Don’t open an email attachment from an unknown source
- Do not download files from suspicious websites
- Don’t click on ads unless you’re sure it’s safe
- Only access websites from trustworthy sources
Medusa Tor negotiation site
- medusacegu2ufmc3kx2kkqicrlcxdettsjcenhjena6uannk5f4ffuyd.onion
How did Medusa infect your computer
Medusa can enter and compromise computers and networks through system vulnerabilities like vulnerable RDP and phishing emails.
Spam email campaigns. This a phishing email attack where hackers use social engineering to deceive victims into clicking malicious links or attachments. After that, the exploit kit is downloaded into the machine and the threat actors can trigger ransomware at any moment. These emails can be targeted when hackers intend to access a specific business or can be non-targeted phishing when they send a mass malware spam campaign.
Vulnerable remote service. One more way Medusa ransomware attacks happen is through unsecured external remote services. Attackers will exploit Remote Desktop Protocol (RDP) tools whose credentials are known, reused, weak, or rephrased to gain access to businesses’ networks and leak data.
Known software vulnerabilities. Hackers use software with known vulnerabilities to attack businesses as well. That’s why it’s very important to also keep every software updated and protect remote administration tools like RDP.
Medusa ransom note
This is an example of the Medusa ransom note:
—————————–[ Hello, ******** !!! ]————————–
WHAT HAPPEND?
————————————————————
We have PENETRATE your network and COPIED data.
* We have penetrated entire network including backup system and researched all about your data.
* And we have extracted all of your important and valuable data and copied them to private cloud storage.
We have ENCRYPTED your files.
While you are reading this message, it means all of your files and data has been ENCRYPTED by world’s strongest ransomware.
All files have encrypted with new military-grade encryption algorithm and you can not decrypt your files.
But don’t worry, we can decrypt your files.
There is only one possible way to get back your computers and servers – CONTACT us via LIVE CHAT and pay for the special
MEDUSA DECRYPTOR and DECRYPTION KEYs.
This MEDUSA DECRYPTOR will restore your entire network, This will take less than 1 business day.
WHAT GUARANTEES?
—————————————————————
We can post your data to the public and send emails to your customers.
We have professional OSINTs and media team for leak data to telegram, facebook, twitter channels and top news websites.
You can suffer significant problems due disastrous consequences, leading to loss of valuable intellectual property and other sensitive information,
costly incident response efforts, information misuse/abuse, loss of customer trust, brand and reputational damage, legal and regulatory issues.
After paying for the data breach and decryption, we guarantee that your data will never be leaked and this is also for our reputation.
YOU should be AWARE!
—————————————————————
We will speak only with an authorized person. It can be the CEO, top management, etc.
In case you ar not such a person – DON’T CONTACT US! Your decisions and action can result in serious harm to your company!
Inform your supervisors and stay calm!
If you do not contact us within 3 days, We will start publish your case to our official blog and everybody will start notice your incident!
——————–[ Official blog tor address ]——————–
Using TOR Browser(hxxps://www.torproject.org/download/):
–
CONTACT US!
———————-[ Your company live chat address ]—————————
Using TOR Browser(hxxps://www.torproject.org/download/):
–
Or Use Tox Chat Program(hxxps://qtox.github.io/)
Add user with our tox ID : 4AE245548F2A225882951FB14E9BF87E E01A0C10AE159B99D1EA62620D91A372205227254A9F
How does Medusa work
Medusa ransomware compromises your business network by finding vulnerabilities, such as unsecured RDP. After that, then ransomware will work to encrypt your data and demand a ransom in exchange for the decryptor.
1. Initial Access
Medusa ransomware’s primary infection method is through unsecured Remote Desktop Protocol (RDP). Phishing is also a second method this group uses to get access to organizations’ networks and lock the data.
2. Execution
Medusa ransomware uses PowerShell for command and scripting interpreters. It also deletes shadow copy backups and other system backups to make it impossible for victims to restore their files.
3. Privilege Escalation
After that, the malware uses the Windows built-in tool called Microsoft Connection Manager Profile Installer to run commands with high privileges.
3. Defense Evasion
At this phase, Medusa ransomware will deactivate defense software such as antivirus and antimalware. It can also boot in Safe Mode to limit endpoint defenses.
4. Lateral Movement
Afterward, Medusa will use remote service to compromise other computers and devices within the network and spread the ransomware payload.
5. Impact
The final phase is for data encryption and to inhibit system recovery. At this point every file will have a new file extension and the ransom note will be on the desktop.
Prevent the Medusa ransomware attack
We already mentioned several ways you can prevent Medusa ransomware attacks. Here is a complete list of what to do to keep your data and business safe.
1. Use strong passwords and apply multi-factor authentication
Always use strong and unique passwords for each account and only share them with necessary people.
You can use two-factor authentication or biometric unlock to ensure that only authorized people have access to folders, devices, or accounts.
2. Erase outdated and unused user accounts and audit user accounts with administrative privileges
Unused accounts are vulnerabilities that hackers can exploit. Deactivate and close unused accounts as well as those used by past employees.
Also, configure access controls according to the principle of least privilege to increase security.
3. Keep software updated
Outdated software is a weak point. That’s because new updates can create protection against new types of malware, such as Medusa.
4. Schedule regular backups
Keep at least three copies of your data, having at least one stored offline and off-site. This can guarantee that, even if you’re hit by a disaster, being natural or human-made (like ransomware), your data is always safe.
Regular backups can prevent downtimes and ensure you never lose any sensitive data.
5. Use a cybersecurity solution
You can either have an IT team to guarantee your business security or hire a cybersecurity service.
Either way, you must look for vulnerabilities in the network, such as back doors, exploit kits, and youtube software.
6. Have a recovery plan in hand
Data recovery plans are documents that work as guides on what to do in case of a disaster. This can help you restore your business faster and more securely.
See how to create a data recovery plan with our in-depth guide.
How to handle a Medusa ransomware attack
The first step to recover from the Medusa attack is to isolate the compromised computer by disconnecting it from the internet and removing any connected device. Then, you must contact local authorities. In the case of US residents and businesses, it is the local FBI field office and the Internet Crime Complaint Centre (IC3).
To report a ransomware attack you must gather every information you can about it, including:
- Screenshots of the ransom note
- Communications with Medusa actors (if you have them)
- Sample of an encrypted file
You must not delete the ransomware, and keep every evidence of the attack. That’s important for digital forensics so experts can trace back to the hacker group and identify them. Is using the data on your infected system so that authorities can investigate the attack and find the responsible. A cyber attack investigation is not different from any other criminal investigation: it needs evidence to find the attackers.
After isolating the device and contacting authorities, you must follow the next steps to retrieve your data:
1. Contact your Incident Response Retainer
A Cyber Incident Response is the process of responding to and managing a cybersecurity incident. An Incident Response Retainer is a service agreement with a cybersecurity provider that allows organizations to get external help with cybersecurity incidents. It provides organizations with a structured form of expertise and support through a security partner, enabling them to respond quickly and effectively in the event of a cyber incident.
An incident response retainer offers peace of mind to organizations, offering expert support before and in the aftermath of a cybersecurity incident. The specific nature and structure of an incident response retainer will vary according to the provider and the organization’s requirements. A good incident response retainer should be robust but flexible, providing proven services to enhance an organization’s long-term security posture.
2. Identify the ransomware infection
You can check which ransomware infected your machine by the file extension (some ransomware uses the file extension as their name, such as hajd ransomware), or it will be on the ransom note. With this information, you can look for a public decryption key. However, Medusa doesn’t have it yet.
3. Remove the ransomware and eliminate exploit kits
Before recovering your data, you must guarantee that your device is ransomware-free and that the attackers can’t make a new attack through exploit kits or other vulnerabilities. A ransomware removal service can delete the ransomware, create a forensics document for investigation, eliminate vulnerabilities, and recover your data.
4. Use a backup to restore the data
Backups are the most efficient way to recover data. Make sure to keep daily or weekly backups, depending on your data usage.
5. Contact a ransomware recovery service
If you don’t have a backup or need help removing the ransomware and eliminating vulnerabilities, you should contact a data recovery service. Paying the ransom does not guarantee your data will be returned to you. The only guaranteed way you can restore every file is if you have a backup of it. If you don’t, ransomware data recovery services can help you decrypt and recover the files.
SalvageData experts can safely restore your files and guarantee Medusa ransomware does not attack your network again.
Contact our experts 24/7 for emergency recovery service or find a recovery center near you.
