A ransomware operation known as Medusa has begun to pick up steam in 2023, targeting corporate victims worldwide with million-dollar ransom demands.
The Medusa operation started in June 2021 but had relatively low activity, with few victims. However, in 2023 the ransomware gang increased in activity and launched a 'Medusa Blog' used to leak data for victims who refused to pay a ransom.
Medusa gained media attention this week after they claimed responsibility for an attack on the Minneapolis Public Schools (MPS) district and shared a video of the stolen data.
BleepingComputer has only been able to analyze the Medusa encryptor for Windows, and it is not known if they have one for Linux at this time. Ransomware expert Michael Gillespie also analyzed the encryptor and told BleepingComputer it encrypts files using AES-256 + RSA-2048 encryption using the BCrypt library.
Gillespie further confirmed that the encryption method used in Medusa is different than the one used in MedusaLocker.
When encrypting files, the ransomware will append the .MEDUSA extension to encrypted file names, as shown below. For example, 1.doc would be encrypted and renamed to 1.doc.MEDUSA.
Like most enterprise-targeting ransomware operations, Medusa has a data leak site named 'Medusa Blog.' This site is used as part of the gang's double-extortion strategy, where they leak data for victims who refuse to pay a ransom.
Full article here https://www.bleepingcomputer.com/news/security/medusa-ransomware-gang-picks-up-steam-as-it-targets-companies-worldwide/
#medusa #ransomware # companies #Minneapolis #schools #yokdata #blog