Key Points

  • In June 2024, ReliaQuest responded to detections from an endpoint detection and response (EDR) tool signaling the beginning of a ransomware attack by the “Medusa” ransomware group that resulted in the encryption of various hosts in a customer environment.
  • Since 2022, the Ransomware-as-a-Service (RaaS) group Medusa has targeted organizations in the technology, education, manufacturing, and healthcare sectors by taking advantage of unpatched vulnerabilities and hijacking legitimate accounts.
  • An investigation by the ReliaQuest Threat Research team found that Medusa utilized a compromised VPN account for initial access, NTDS dumps for credential access, and RDP for lateral movement.
  • This report highlights Medusa’s reliance on common tactics, techniques, and procedures (TTPs), such as living-off-the-land (LoTL) techniques, PowerShell for credential dumping, and service installations for persistence.
  • Proper cybersecurity defenses, including robust VPN configurations, enhanced endpoint visibility, and automated response mechanisms, are crucial in mitigating the impact of such ransomware attacks.

In June 2024, ReliaQuest was made aware of a series of detections from an EDR tool by one of our customers. These detections indicated the successful deployment of the Medusa ransomware, resulting in encryption across one of the customer’s unmonitored sub-domains. Our investigation yielded indicators of intrusion and intelligence about the adversary’s TTPs. The North America-based organization had undergone rapid growth due to multiple acquisitions; as a result, the company struggled with gaps in visibility across its environment. These issues ultimately hindered its ability to effectively mitigate and respond to the attack.

This report details the attack lifecycle, beginning with initial access via a compromised customer account on a remote VPN, followed by an NTDS dump on a domain controller to facilitate lateral movement, and culminating in the installation of a vulnerable driver to bypass EDR tools and deploy an encryptor. We examine the legitimate tools used by Medusa and provide actionable prevention and mitigation strategies to help organizations defend against such ransomware threats. By implementing the practical recommendations outlined in this report, organizations can significantly enhance their defensive measures and reduce the impact of similar attacks.

Medusa Overview

Security researchers first identified the RaaS operator Medusa in late 2022 (not to be confused with the similarly-named MedusaLocker). The group primarily spreads its ransomware by exploiting unpatched vulnerabilities in public-facing assets. Medusa affiliates also purchase system credentials from initial access brokers (IABs) and hijack legitimate accounts to infiltrate environments. The threat group uses LoTL techniques to evade defenses and blend in with normal system activity, suggesting the operators are technically adept and highly experienced.

Since the introduction of its data leak site in early 2023, Medusa has named over 200 victims. It primarily targets organizations in the technology, education, manufacturing, and healthcare sectors within the US. The group’s approach is largely opportunistic, exploiting the opportunities created by organizations without multi-factor authentication (MFA). Medusa is likely financially motivated, targeting critical systems to disrupt essential operations and increase the likelihood that organizations will pay the ransom to regain functionality.

Attack Lifecycle

The impacted organization’s business model hinges on supplying its customers with infrastructure designed to ensure minimal downtime. As a result, this has led to a “flat” network architecture with fragmented domains and devices, making patching and maintenance challenging. The organization faced difficulties in deploying a consistent set of tools and controls across its network because several components had reached their end-of-life. This situation created visibility gaps and heightened the complexity of mitigating the attack.

Initial Access

ReliaQuest’s collaboration with the impacted organization and its digital forensics and incident response (DFIR) partner indicated that the adversary may have gained initial access via the organization’s VPN. In early April 2024, an anomalous session from the Russian IP address 178.208.87.250 used a domain account belonging to a customer of the impacted organization. This session was assigned an internal IP within a small legacy subnet used for customer VPN access. We discovered that the threat actor established follow-up sessions over subsequent weeks but could not identify all the ways in which the attacker abused this access due to our limited visibility. Consequently, we could not determine whether access to this account resulted from credentials obtained through external attacks like brute forcing.

Mitigation: Robust Security Controls for External Accounts

External accounts like VPN or cloud (e.g. Azure) are frequent targets of attacks like brute forcing, phishing, or social engineering. To reduce the risk of compromise, these accounts should always use security controls like MFA or device authentication. External services should also undergo regular audits to ensure only expected accounts are enabled for external access. Our team has observed cases where temporary accounts (created by vendors or customers), default accounts, and accounts meant to be disabled are sometimes overlooked, leading to unauthorized access. These external portals should use applicable controls to reduce their attack surface, such as disabling WebVPN access if it is not needed, or geoblocking unauthorized locations. Additionally, management console portals and access (e.g., SSH) should also be limited to internal access only.

Discovery

Further investigation revealed that the threat actor initiated a VPN session at the beginning of April. Within an hour of establishing the session, the assigned VPN address was observed with firewall traffic resembling port scanning. This indicates an attempt from the threat actor to gain insight into the environment and accessible resources. Security researchers have reported that Medusa uses tools like Netscan for discovery actions, which offer features like pinging, port scanning, network share discovery, and retrieval of information from network devices. Overall, this traffic was observed over several hours and targeted multiple different destinations.

Mitigation: Comprehensive Network Based Controls

Organizations should adopt a preventive strategy for external accounts connecting to their environment, especially in the case of VPN-enabled accounts. Implementing network segmentation can limit the resources accessible to VPN-connected devices and appropriately segment critical systems and sensitive data as needed. Authorize only a subset of accounts and/or devices to communicate with critical systems. This should limit some of the information retrieved through discovery actions and reduce the likelihood of follow-up actions such as lateral movement.

Credential Access

The investigation also identified two attempts to harvest credentials within a day of the threat actor establishing their first VPN session in early April. The first attempt involved LSASS dumping, which originated from a VPN-assigned internal IP address. Their second attempt involved NTDS dumping on a domain controller via PowerShell on the same day.

powershell.exe ntdsutil.exe 'ac i ntds' 'ifm' 'create full c:\temp' qq

The command creates a full snapshot of the Active Directory (AD) database and copies the SYSTEM and SECURITY registry hives to the TEMP directory. The contained password hashes can later be extracted by the threat actor. Through our available visibility, our team did not observe additional activity following the early discovery and credential dumping in April. However, in May, there was an additional LSASS dump via comsvcs.dll.

%COMSPEC% /Q /c CMD.EXe /Q /c for /f "tokens ("tasklist /fi "Imagename eq lsass.exe" | find "lsass*) do rundll32.exe B I U C: \windows\System32\comsvcs.dll, #+0000^24 ^%B \Windows\Temp\rMx3.sav full

This command contains some syntax errors, possibly due to the method used to extract this data. However, from the readable portions we can identify an attempt to query the running processes for LSASS and dumping of in-memory credentials via comsvcs.dll.

Credential dumping of the Active Directory (AD) database and in-memory credentials may indicate an effort to capture all types of credentials. These attempts might also accomplish different goals at the time of execution. NTDS dumping would provide a comprehensive snapshot of the AD database that the threat actor could reference later. On the other hand, LSASS dumping can provide some plaintext passwords, NTLM hashes, or Kerberos tickets for quick access and use. Additionally, the LSASS dump could also potentially contain credentials for some accounts not found in the AD database snapshot.

Our team also believes that due to the impacted organization using different fragmented domains, this influenced the threat actor to attempt dumping credentials again after a month.

From our available visibility, early activity after initial access was limited to discovery and credential gathering actions. A change in behavior was not seen until June, which might indicate that an initial access broker had gained access to the environment and then sold it to the Medusa ransomware group—or an affiliate linked to the group—who conducted further malicious activity. This is congruent with intelligence on the group, but this could not be confirmed due to the limited data points available prior to the activity in June.

Mitigation: Endpoint and LSASS Protection

Critical systems should be equipped with EDR tool monitoring and any additional security measures to identify and block attempts to dump credentials. EDR software has built-in policies and watchlists that can mitigate these attempts, and these can be further enhanced with custom policies. Other options like Credential Guard and LSA protection should also be considered to further enhance security controls. These options provide some mitigations in attempt to stop code injection and unauthorized access to sensitive information.

Lateral Movement and Command-and-Control

Although the limited logging prevented a mapping of complete attack path, we confirmed lateral movement via type 10 logons (RDP) leveraging a compromised admin account at the beginning of June. The RDP connection sourced from a domain controller and leveraged an account with the same name but from a different domain, suggesting possible domain hopping. Only RDP was observed for lateral movement, and the threat actor used the same accounts across different domains.

Within a few minutes of the RDP connection, the threat actor installed AnyDesk on the target server.

C:\Program Files (x86)\AnyDesk\AnyDesk.exe

Our team believes this to be a redundant form of command-and-control (C2) infrastructure, aimed at maintaining access as the threat actor positioned themselves for encryption. This conclusion was drawn after reviewing exported Windows System logs, which showed service installations dating back to mid-May for the SimpleHelp RMM tool on the same host.

C:\ProgramData\JWrapper-Remote Access\JWAppsSharedConfig\restricted\SimpleService.exe

Mitigation: Comprehensive Network Based Controls

Network segmentation and limiting connections to critical systems from a subset of hosts should reduce attack surface for both the discovery and lateral movement stages of incidents. Not all accounts should have RDP access, and this functionality should be disabled if not operationally necessary. For instance, service accounts should be configured to disallow interactive logons and can be strong candidates for removing RDP capabilities.

Mitigation: Least Privilege and Application Allow Lists

Organizations should apply the principle of least privilege to restrict regular users from installing unauthorized applications. Allow-list solutions like AppLocker can further limit software installations to approved applications only, enabling enhanced monitoring on non-approved software.

Impact

On the same day as the AnyDesk installation, we observed the installation of the service “PDQInventory-Scanner-1” on multiple hosts using a compromised admin account. PDQ is a commercial tool for deployment and inventory management. When abused, it allows threat actors to efficiently push out and execute scripts or payloads on multiple target computers. Multiple security researchers have linked the tool to the Medusa ransomware group.

image

Within an hour of the PDQInventory installations, we detected ransomware deployment activity. This included PDQDeploy logons to target hosts and blocked antivirus detections for the file “gaze.exe,” which had a Medusa-related signature.

We subsequently detected the file “igJTf.sys” in the path “C:\WINDOWS\TEMP\,” indicating the use of a malicious driver. The threat actor highly likely dropped this file to install as a kernel-level driver, aiming to unhook the antivirus software installed across the domain. This assessment is supported by the subsequent successful encryptor deployment on those hosts. We recently observed a similar attack path in a double extortion case.

The ransom note “!!!READ_ME_MEDUSA!!!.txt” was written on impacted hosts.

Mitigation: Disaster Prevention and Recovery Playbooks

Organizations should adopt proactive measures to ensure operational continuity in the event of impact. This includes maintaining data backups (Cold, Warm, Hot sites), having response playbooks, and establishing solid communication plans to ensure teams are prepared. Additionally, hosts with critical data should employ robust security measures, such as EDR protection and driver management, to limit attack surfaces.

Conclusion

Our investigation into the Medusa ransomware attack revealed a series of common TTPs. Initial access was gained via a compromised VPN account, credential dumping was performed via PowerShell and comsvcs.dll, and lateral movement was executed using RDP. Although these techniques are not particularly novel, they underscore the importance of maintaining robust cybersecurity defenses and configurations.

In this instance, proper VPN configuration, enhanced endpoint visibility, and automated response mechanisms could have significantly mitigated the impact of the attack. For companies that grow through mergers and acquisitions or operate in shared infrastructure environments, visibility into all assets and networks is especially crucial. Enhanced visibility helps identify potential vulnerabilities and ensures that security measures are consistently applied across newly integrated or shared systems.

By implementing the appropriate security measures and ensuring comprehensive monitoring, organizations can detect and thwart straightforward TTPs like those used by Medusa. The steps outlined in this report provide actionable recommendations that can help prevent similar attacks in the future. Ensuring that defenses are in place and properly configured can minimize or even prevent the impact of such ransomware attacks, safeguarding your organization from significant harm.