Palo Alto’s Unit 42 finds escalation in Medusa ransomware and shift towards extortion

Medusa-Ransomware
9 months ago

Palo Alto Networks’ Unit 42 published new research on Medusa ransomware activity. Unit 42 found an escalation in Medusa ransomware operations and a shift in tactics towards extortion, characterized by the introduction of their dedicated leak site (DLS) called the Medusa Blog in early 2023.

This multi-extortion operation backs the recent Unit 42 finding that there has been a 37% increase in ransomware attacks involving multi-extortion from 2022-2023 (Palo Alto Networks earnings Q1’24). Additional recent findings by Unit 42 on Medusa ransomware include:

  • The introduction of the new Medusa Blog, accessible through TOR, released in early 2023 to disclose sensitive data of victims unwilling to accede to their ransom demands.
  • The operators provide victims with multiple ransom payment options when their data is posted on their DLS. For example, a standard fee for a time extension to prevent data from being published on their blog is $10,000.
  • Medusa is opportunistic targeting a wide range of industries including, high technology, education, manufacturing and healthcare – mostly in the US – and impacting possibly 74 organizations worldwide in 2023.
  • The group predominantly propagates its ransomware through the exploitation of vulnerable services or public-facing assets or applications with known unpatched vulnerabilities and hijacking of legitimate accounts, often utilizing initial access brokers for infiltration.
  • The group leverages a public Telegram channel named “information support,” where files of compromised organizations are shared and are more accessible than traditional onion sites.

The research also outlines how the Unit 42 Incident Response team responded to a Medusa ransomware incident, which allowed the analysts to uncover unique tactics, tools and procedures used by Medusa threat actors.

Don't Miss

GBM to Implement Palo Alto Networks’ Next-Generation Firewall at GEMS Education to Protect Schools from Rising Cyberthreats

Gulf Business Machines (GBM) will deploy a next-generation firewall by Palo Alto
Orange-Business-First-to-Deliver-Prisma-SASE-with-SP-Interconnect

Orange Business to provide Palo Alto’s Prisma SASE with Service Provider Interconnect

Orange Business, Orange Cyberdefense and Palo Alto Networks have further strengthened their