Kaspersky’s commentary on Medusa Ransomware

By Vladimir Kuskov

Medusa ransomware is a malicious software that encrypts victims’ data and demands a ransom for its release. The threat actors behind this strain typically attack their victims via unsecured Remote Desktop Protocol (RDP) access and phishing campaigns.

The attackers typically manually infiltrate the victim’s network, carry out reconnaissance, move laterally, steal the victim’s sensitive data, and finally launch the ransomware trojan that encrypts files with the .MEDUSA extension and leaves a ransom note.

The Medusa threat actor uses the double-extortion tactic, threatening to leak the stolen confidential data of their victims on the “Medusa Blog” on the TOR network if the ransom isn’t paid.

Modern strains of ransomware, such as Medusa, are typically sold through the Ransomware-as-a-Service (RaaS) model. This means that hacker groups responsible for the attacks share a percentage of their ransom payouts with the malware authors.

Our products are able to proactively detect this threat and protect against it with Behavior Detection. However, we have not observed any statistically significant number of detections of Medusa ransomware in the Philippines or Southeast Asia region.

To keep your company protected against Medusa and other modern ransomware attacks, Kaspersky experts recommend:

  • Do not expose remote desktop services (such as RDP) to public networks unless absolutely necessary and always use strong passwords for them.
  • Promptly install available patches for commercial VPN solutions providing access for remote employees and acting as gateways in your network.
  • Always keep software updated on all the devices you use to prevent ransomware from exploiting vulnerabilities
  • Focus your defense strategy on detecting lateral movements and data exfiltration to the Internet. Pay special attention to the outgoing traffic to detect cybercriminals’ connections.
  • Back up data regularly. Make sure you can quickly access it in an emergency when needed.
  • Use the latest Threat Intelligence information to stay aware of actual tactics, techniques, and procedures (TTPs) used by threat actors.
  • Use solutions like Kaspersky Endpoint Detection and Response and Kaspersky Managed Detection and Response service which help to identify and stop the attack on early stages, before attackers reach their final goals.
  • To protect the corporate environment, educate your employees. Dedicated training courses can help, such as the ones provided in the Kaspersky Automated Security Awareness Platform.
  • Use a reliable endpoint security solution, such as Kaspersky Endpoint Security for Business that is powered by exploit prevention, behavior detection and a remediation engine that is able to roll back malicious actions. KESB also has self-defense mechanisms which can prevent its removal by cybercriminals.

Kaspersky products detect Medusa ransomware by File Threat Protection as variants of Trojan-Ransom.Win32.MedusaNg. Additionally, products with the Behavior Detection component detect even unknown variants of this malware proactively as PDM:Trojan.Win32.Generic.

With the help of Kaspersky’s self-defense technology, our endpoint solution efficiently prevents malicious attempts to interfere with normal operation of the product.

(The author is the Head of Anti-Malware Research at Kaspersky)