AS MANY of us Filipinos now know, Medusa is the ransomware group that launched an attack on PhilHealth’s cyber vulnerabilities recently.

To make matters worse, the country’s state insurer has been given a four-day ultimatum to comply with the demands of the cybercriminal group.

Medusa is accordingly demanding a $300,000 ransom, or P17,100,000 in Philippine configuration.

Any extension costs any victim like PhilHealth $10,000 per day according to published reports.

To better understand how Medusa operates and victimizes vulnerable targets please read on:

How Medusa operates

According to Lawrence Abrams from BleepingComputer, Medusa began targeting companies worldwide with multi-million-dollar ransom demands two years ago.

The ransomware operation, referred to as Medusa, gained significant momentum in 2023, specifically focusing on corporate victims with ransom demands in the millions.

While the Medusa operation was initiated in June 2021, it initially had limited activity with only a few victims.

However, in 2023, the ransomware group significantly escalated its operations and even established a “Medusa Blog” to release data from victims who refused to pay the ransom.

Medusa garnered media attention this year when it claimed responsibility for an attack on the Minneapolis Public Schools (MPS) district and shared a video containing stolen data.

In his latest BleepingComputer article, Abrams clarified that several malware families adopt the name Medusa, including a Mirai-based botnet with ransomware capabilities, a Medusa Android malware, and the well-known MedusaLocker ransomware operation.

It’s important to note that there has been confusion in reporting due to the common name, with many assuming it’s the same as MedusaLocker. However, the Medusa and MedusaLocker ransomware operations are distinct entities.

The MedusaLocker operation was launched in 2019 as a Ransomware-as-a-Service, involving numerous affiliates, a commonly used ransom note named “How_to_back_files.html,” and a wide range of file extensions for encrypted files. Negotiations for MedusaLocker typically occur on a Tor website at qd7pcafncosqfqu3ha6fcx4h6sr7tzwagzpcdcnytiw3b6varaeqv5yd.onion.

On the other hand, the Medusa ransomware operation emerged around June 2021, using a ransom note named “!!!READ_ME_MEDUSA!!!.txt” and a static encrypted file extension of “.MEDUSA.” Negotiations for this operation also take place on a Tor website, specifically at medusacegu2ufmc3kx2kkqicrlcxdettsjcenhjena6uannk5f4ffuyd.onion.

Regarding the encryption of Windows devices, Abrams explains that BleepingComputer has only been able to analyze the Medusa encryptor for Windows. It remains uncertain whether they have developed one for Linux systems at this time.

The Windows encryptor can be configured using command-line options, allowing threat actors to determine how files will be encrypted on the device as follows:

Command Line

Option | Description

-V | Get version
-d | Do not delete self
-f | Exclude system folder
-i | In path
-k | Key file path
-n | Use network
-p | Do not preprocess (preprocess = kill services and shadow copies)
-s | Exclude system drive
-t | Note file path
-v | Show console window
-w | Initial run powershell path (powershell -executionpolicy bypass -File %s)

For example, the -v command line argument will cause the ransomware to display a console, showing status messages as it encrypts a device.

In a regular run, without command line arguments, the Medusa ransomware will terminate over 280 Windows services and processes for programs that may prevent files from being encrypted. These include Windows services for mail servers, database servers, backup servers, and security software.

The ransomware will then delete Windows Shadow Volume Copies to prevent them from being used to recover files.

Ransomware expert Michael Gillespie also analyzed the encryptor and told BleepingComputer it encrypts files using AES-256 + RSA-2048 encryption using the BCrypt library.

Gillespie further confirmed that the encryption method used in Medusa is different than the one used in MedusaLocker.

When encrypting files, the ransomware will append the .MEDUSA extension to encrypted file names, as shown below. For example, 1.doc would be encrypted and renamed to 1.doc.MEDUSA.

In each folder, the ransomware will create a ransom note named !!!READ_ME_MEDUSA!!!.txt that contains information about what happened to the victim’s files.

The ransom note will also include extension contact information, including a Tor data leak site, a Tor negotiation site, a Telegram channel, a Tox ID, and the key.medusa.serviceteam@protonmail.com email address.

The Tor negotiation site is at http://medusacegu2ufmc3kx2kkqicrlcxdettsjcenhjena6uannk5f4ffuyd.onion.

As an extra step to prevent the restoration of files from backups, the Medusa ransomware will run the following command to delete locally stored files associated with backup programs, like Windows Backup. This command will also delete virtual disk hard drives (VHD) used by virtual machines.

The Tor negotiation site calls itself “Secure Chat,” where each victim has a unique ID that can be used to communicate with the ransomware gang.

Like most enterprise-targeting ransomware operations, Medusa has a data leak site named ‘Medusa Blog.’ This site is used as part of the gang’s double-extortion strategy, where they leak data for victims who refuse to pay a ransom.

When a victim is added to the data leak, their data is not immediately published. Instead, the threat actors give the victims paid options to extend the countdown before data is released, to delete the data, or to download all of the data. Each of these options has different prices.

These three options are done to apply extra pressure on the victim to scare them into paying a ransom.

Unfortunately, no known weaknesses in the Medusa Ransomware encryption allow victims to recover their files for free.

Researchers will continue to analyze the encryptor, and if a weakness is found, we will report it at BleepingComputer.

(Jr. Amigo/ai/mnm)