The menace actors related to the Medusa ransomware have ramped up their actions following the debut of a devoted knowledge leak website on the darkish internet in February 2023 to publish delicate knowledge of victims who’re unwilling to conform to their calls for.

“As a part of their multi-extortion technique, this group will present victims with a number of choices when their knowledge is posted on their leak website, comparable to time extension, knowledge deletion or obtain of all the info,” Palo Alto Networks Unit 42 researchers Anthony Galiette and Doel Santos mentioned in a report shared with The Hacker Information.

“All of those choices have a price ticket relying on the group impacted by this group.”

Medusa (to not be confused with Medusa Locker) refers to a ransomware household that appeared in late 2022 earlier than coming into prominence in 2023. It is identified for opportunistically focusing on a variety of industries comparable to excessive expertise, schooling, manufacturing, healthcare, and retail.

As many as 74 organizations, principally within the U.S., the U.Okay., France, Italy, Spain, and India, are estimated to have been impacted by the ransomware in 2023.

Ransomware assaults orchestrated by the group begin with the exploitation of internet-facing property or functions with identified unpatched vulnerabilities and hijacking of reputable accounts, usually using preliminary entry brokers to acquire a foothold to focus on networks.

In a single occasion noticed by the cybersecurity agency, a Microsoft Alternate Server was exploited to add an online shell, which was then used as a conduit to put in and execute the ConnectWise distant monitoring and administration (RMM) software program.

A notable side of the infections is the reliance on living-off-the-land (LotL) methods to mix in with reputable exercise and sidestep detection. Additionally noticed is the usage of a pair of kernel drivers to terminate a hard-coded listing of safety merchandise.

The preliminary entry part is adopted by discovery and reconnaissance of the compromised community, with the actors in the end launching the ransomware to enumerate and encrypt all recordsdata save for these with the extensions .dll, .exe, .lnk, and .medusa (the extension given to the encrypted recordsdata).

For every compromised sufferer, Medusa’s leak website shows details about the organizations, ransom demanded, the period of time left earlier than the stolen knowledge is launched publicly, and the variety of views in a bid to exert stress on the corporate.

The actors additionally provide totally different decisions to the sufferer, all of which contain some type of extortion to delete or obtain the pilfered knowledge and search a time extension to stop the info from being launched.

As ransomware continues to be a rampant menace, focusing on tech corporations, healthcare, vital infrastructure, and every thing in between, the menace actors behind it are getting extra brazen with their techniques, going past publicly naming and shaming organizations by resorting to threats of bodily violence and even devoted public relations channels.

“Ransomware has modified many sides of the menace panorama, however a key current improvement is its rising commoditization and professionalization,” Sophos researchers mentioned final month, calling ransomware gangs “more and more media-savvy.”

Medusa, per Unit 42, not solely has a media crew to probably deal with their branding efforts, but additionally leverages a public Telegram channel named “data help,” the place recordsdata of compromised organizations are shared and will be accessed over the clearnet. The channel was arrange in July 2021.

“The emergence of the Medusa ransomware in late 2022 and its notoriety in 2023 marks a major improvement within the ransomware panorama,” the researchers mentioned. “This operation showcases complicated propagation strategies, leveraging each system vulnerabilities and preliminary entry brokers, whereas adeptly avoiding detection via living-off-the-land methods.”

The event comes as Arctic Wolf Labs publicized two circumstances wherein victims of Akira and Royal ransomware gangs have been focused by malicious third-parties posing as safety researchers for secondary extortion makes an attempt.

“Risk actors spun a story of attempting to assist sufferer organizations, providing to hack into the server infrastructure of the unique ransomware teams concerned to delete exfiltrated knowledge,” safety researchers Stefan Hostetler and Steven Campbell mentioned, noting the menace actor sought about 5 bitcoin in alternate for the service.

It additionally follows a new advisory from the Finnish Nationwide Cyber Safety Centre (NCSC-FI) a couple of spike in Akira ransomware incidents within the nation in the direction of the top of 2023 by exploiting a safety flaw in Cisco VPN home equipment (CVE-2023-20269, CVSS rating: 5.0) to breach home entities.