Medusa ransomware unleashes unprecedented cyber attack against Philhealth

An initial analysis of Medusa ransomware’s behavior, distribution, and impact—security insights by Renzon Cruz, Principal DFIR Consultant @ Unit 42 by Palo Alto Networks


At a glance

  • Medusa is a newly improved variant of ransomware that encrypts victims’ files and deletes backups and virtual hard disks to hinder any recovery efforts, and was analyzed by Renzon Cruz, Principal DFIR Consultant at Unit 42 by Palo Alto Networks.

  • Medusa is distributed as an executable file, typically gaining initial access through exposed RDP servers via brute force attacks, well-crafted phishing emails, or by exploiting existing vulnerabilities.

  • Upon execution, Medusa encrypts files using the AES-256 encryption algorithm and appends the .MEDUSA extension to them, leaving a ransom note named !!!READ_ME_MEDUSA!!!.txt in every folder containing encrypted files, which instructs victims to contact the attackers via a TOR chat or a TOX ID.

  • Medusa ransomware disables 228 services on the infected computer, including major security software like Sophos, Symantec, TrendMicro, McAfee, and Kaspersky, and deletes the Volume Shadow Copy, which prevents victims from running antivirus scans, removing the ransomware, or using recovery tools.

  • Medusa targets not only Windows systems but also has a variant infecting Linux servers, typically deploying crypto-mining malware like XMRig. Renzon Cruz warns of its potential to cause irreversible damage, financial losses, and exposure of sensitive information and advises ongoing vigilance, regular backups, and updated security measures.


Ransomware is a type of malware that encrypts the files on a victim's computer and demands a ransom for their decryption. Ransomware attacks have become more frequent and sophisticated in recent years, posing a serious threat to individuals, businesses, and organizations. One of the latest ransomware variants discovered by security researchers is Medusa, which encrypts files and deletes backups and virtual hard disks to prevent recovery. This article will provide an overview of the ransomware that has affected the country's health insurance program, the Medusa ransomware -- its distribution, behavior, and impact, based on the analysis of Renzon Cruz, Principal DFIR Consultant @ Unit 42 by Palo Alto Networks.

Medusa, according to Cruz, is distributed as an executable file. He said that Medusa's typical initial access vector, like any other ransomware, typically starts by gaining access to an exposed RDP server from the internet through a brute force attack, a well-crafted phishing email, and successfully exploiting existing vulnerabilities.

When executed, Medusa encrypts files with the .MEDUSA extension and creates a ransom note text file named !!!READ_ME_MEDUSA!!!.txt. The ransom note instructs the victims to contact the attackers via a TOR chat or a TOX ID, but neither method is working as of this writing. The file size is 1.5 MB, packed with UPX, a common technique to evade antivirus detection. The file also has a fake icon of Microsoft Word to trick users into opening it.

381176587_534105498897213_204773788698533953_n.jpg
In the ransom note to Philhealth, Medusa claimed to penetrate the government agency's entire networks, including backup systems and reportedly copied essential and valuable data to private cloud storage.

 

First, when the executable is run, it performs several malicious actions on the infected computer. First, it encrypts files with various extensions, such as .docx, .xlsx, .pptx, .pdf, .jpg, .png, .mp3, .mp4, and more. It uses an AES-256 encryption algorithm and appends the .MEDUSA extension to the encrypted files. For example, a file named report.docx will become report.docx.MEDUSA after encryption.

Second, it creates a ransom note text file named !!!READ_ME_MEDUSA!!!.txt in every folder that contains encrypted files. The ransom note instructs the victims to contact the attackers via a TOR chat or a TOX ID to get the decryption key. However, both methods are currently not working, which means that the victims have no way to communicate with the attackers or recover their files.

Third, Medusa ransomware kills 228 services on the infected computer, including security software such as Sophos, Symantec, TrendMicro, McAfee, and Kaspersky. This prevents the victims from running antivirus scans or removing the ransomware.

Fourth, Medusa launches multiple processes, such as powershell.exe, net.exe, vssadmin.exe, taskkill.exe, and cmd.exe. These processes are used to delete various backup and disk-related files, such as .VHD, .bac, .bak, .wbcat, .bkf, Backup*.*, .set, .win, and .dsk. These files are usually associated with the Windows Backup and Restore feature or virtual machines. By deleting these files, Medusa prevents the victims from restoring their data from backups or snapshots.

Fifth, Medusa deletes the Volume Shadow Copy (VSS) on the infected computer using the command "vssadmin delete shadows /all /quiet". VSS is a Windows feature that allows users to create snapshots of their files and folders at a specific time. By deleting VSS, Medusa prevents the victims from using tools such as ShadowExplorer or Recuva to recover their files.

Cruz warns that Medusa is a serious threat that can cause irreversible damage to the data and systems of its victims. He advises users to avoid opening suspicious attachments or links and to keep their security software updated. He also recommends users to backup their important files regularly and store them in a safe location. It can also cause financial losses if the victims pay the ransom without getting the decryption key. Moreover, it can expose sensitive information if the attackers access the encrypted files or demand more money for not leaking them. Cruz also warns that it’s not only Windows systems that Medusa infects, as there is also a Medusa variant targeting Linux servers, typically deploying crypto-mining malware like XMRig. Cruz says that his analysis of Medusa is still ongoing and that he will share more details soon.