Medusa The Ransomware Paralyzing Companies | With OTW
Every time somebody pays a ransom, its Fuels the ransomware industry. Ransomware has two components. One component is to get inside of your computer and that's the real trick for ransomware to work. Oftentimes ransomware will simply rely upon social engineering. Social engineering has to be taken seriously in every organization.
So hey everyone, I'm Yanniv Ofman back with another video and today I'm joined once again by Occupy the Web. Welcome. Thank you. Thank you Yanniv.
It's always an honor to be asked to be back on your show. Likewise and today we are going to talk about the Medusa ransomware which has recently made a comeback I must say and is targeting organizations around the world. If you are not familiar with this term Medusa, it's named after the mythical Greek creature Medusa known for turning people to stone with a single glance. Occupy the Web will speak more about the ransomware. I'm not sure it's turning people to stone here. It might be turning their computers to stone.
Exactly. It's locking down their system and making them FD ransoms. But you know what, Occupy the Web, let's jump right in and please break it up for us so more people will be aware about the ransomware process, about Medusa in particular, what's different and I'm sure it will be insightful as always with you. Thank you Yanniv. Well let's talk about ransomware in general first of all.
I mean a lot of people hear term and it's probably among the most malicious types of malware in the world right now. I mean it started off many years ago and it was mostly targeted home users and they would go in and basically encrypt the home users family photos or what have you and they'd ask for a hundred dollars or three hundred dollars in ransom and eventually over the years they have learned that it's better to target or is this more lucrative? Let's put it that way. Better, more lucrative to target big companies and basically encrypt their data and hold them hostage or for ransom, their data hostage for ransom. In some cases can pull off ransoms in the 10, 20, 50 million dollar range and every time somebody pays a ransom to the ransomware actors it just fuels the ransomware industry and I think you and I talked about that at the beginning of the year. We talked about some of the threats that we expected in 2025 and this is one of them that we discussed is ransomware. Ransomware continues to be a significant problem just because it's so successful and any malware that's successful and brings in a lot of money is going to keep on growing.
Medusa is just one of the better ransomware the world, better let's see let's say maybe most innovative ransomwares out there and we'll talk about some of the speeches that make it so innovative but first I think I want to at least break down for the what ransomware really is. It's actually pretty simple. Basically ransomware has two components. One component is to get inside of your computer. That's the primary component and that's the real trick for ransomware to work is to get inside of your computer and that's not always that easy to do but oftentimes ransomware will simply rely upon social engineering which goes to what I have said many times is that social engineering has to be taken seriously in every organization.
Whether you're a penetration tester hacker or you're a defender take social engineering serious because 80 percent of and plus of the attacks that are going to be successful against your organization are going to be have an element of social engineering and you know this is not script kitty type of thing. This is sophisticated social engineering to get somebody's credentials or search the web the dark web for credentials and it's launched from places that people can get credentials and of course they can trick people to getting credentials. They can send people links and documents that will give them control of that system. So that's the first element right is to get inside the computer most with social engineering sometimes it's a little more sophisticated especially when we talk about some of these industrial control systems which Medusa is hitting. That's one of the reasons I wanted to talk about is because Medusa is hitting a lot of these industrial systems and as a result they're generating a lot of income.
So one of the elements the first element is getting inside the computer that's often social engineering sometimes it's more sophisticated attacks but it's still that's the first step. The second step is to once they're inside your computer the first thing they do is they go and say okay what storage devices are on this machine they simply do a scan. Think of it as like an nmap scan. They just go out and scan for all of your your storage devices your hard drive with thumb drive what have you and they put that into a variable right because whether it be a the a d c d whatever happens to be after using Linux you know sda sd sdab. So once they know what your storage devices are the next thing they do is they start scanning for particular file extensions all right things that end in sql things that end in docx and things that end in whatever the the particularly targeting it might be video it might be a database it might be emails and so so they could what they do is they search for all those you know we all know that they all have different extensions done so we can usually identify the type of file by the extension.
We also know that the extensions don't define the file right it's really the header that does but most of these software will look at extensions it's a quick and easy way to determine the type of files on the system and then once it does that it then goes out and encrypts them all right so just just like just like when you encrypt your hard drive or you encrypt your thumb drive or you encrypt your database that's what they do it seems to encrypt and since they're the only one who has the password and the password is relatively complex and difficult to crack um most companies are left with having to pay the ransom basically they're using almost always using AES a version of AES we all know that AES is the worldwide standard for good encryption good strong encryption and so they're using that with a very complex password so it makes really really hard to break right um this particular piece of software one of the things that makes it unique okay is that first of all it's ransomware as a service okay if you're not familiar with this on the dark web okay there are these ransomware gangs there's a malware gangs there are these cyber gangs whatever you want to call them who basically advertise their products that you can buy or rent right so just like you know you might have a a 365 office 365 account with Microsoft and you just use their system you don't actually have it on your system or for instance google docs or something like that this is what they what ransomware as a service does simply what they do is they say okay for a price you can use our malware right and we'll teach you how to use it right and then we will take a percentage okay they'll sell it usually they'll rent it and they'll sometimes take a commission so here's the amount you have to pay up front and then we will take 25 percent of all the ransom 50 percent of the ransom and this is so they don't get their hands dirty right the developers don't get their hands dirty they simply allow other people to do the dirty work of actually going in and trying to compromise systems and then encrypt the data and then they handle the the ransom part right so and that ransom key is they use RSA if I remember correctly to be able to exchange the password so that it can't be decrypted either okay as we know RSA can be decrypted it takes a lot of computing power so for most part it's not breakable right it takes a lot of computing power so nation states have the computing power to do it but the rest of the world does not and so these ransomware as a service games are offering their services for a hundred bucks sometimes a million bucks dependent upon who the customer is and then these individuals go out and try to get it on a company that's mostly what they're targeting are big companies like hospitals manufacturing facilities people who have a lot of money they might even have cyber security insurance okay that's one of the targets right because now companies are getting cyber security insurance so if you know that this company has cyber security insurance then you know there's somebody going to be there to pay the ransom you know they might have insurance up to five million dollars so you know they know that if they go into the system the insurance company is probably going to pay them five million dollars or whatever the amount happens to be some cases this is just 50 million dollars a lot of money so these are even though you know we have cyber security insurance to make us all safer in some ways it's making us less safe because the insurance companies are paying the ransoms and the ransoms fuel the ransomware industry so if nobody paid a ransom right then there wouldn't be an industry because there'd be no money for it but the side the cyber security insurance companies are paying the ransom many times and the individual companies are now i can understand why somebody would want to pay the ransom because if you're a hospital for instance you can't just go on with your operations without your data right if you're if you're a manufacturing facility you're making automobiles you need your data to be able to keep your business running and having your business down for days weeks months is costing millions of dollars to bring in a incident response team with the necessary skills and capabilities to mitigate this situation of or ransomware strikes could cost can cost millions of dollars as well so the company says well you know i'm going to have to pay millions of dollars to mitigate it right and yeah i'm going to lose millions of dollars by my company being down and the insurance company is willing to pay five million dollars they pay it and they get data back and away they go right yeah this this so there are a lot of things that make this unique okay one of them is the ransomware as a service right there's also a number of sophisticated eudasion techniques that it uses using power shell so once it's inside your system you can then use power shell to be able to make changes to the system make changes to the firewall and be able to take down your endpoint defense right and so this one does it and it does it pretty well it's able to then move throughout moves laterally through the network all right so oftentimes in a company the the weakest link in their network is going to be some end user somewhere on the network and so if they get compromised then that attacker is not where they want to be right they really want to be on the system administrators machine or they want to be on the database right because that's where the goods that's where the goods are at right and so they have to move laterally through the network to be able to find that database right and so they'll go out and they'll start scanning for like port 1433 or 3306 for mysql and they'll have all the known ports that they'll go ahead and scan for and then they'll find that machine and then they'll laterally move okay through the network to that machine and then take it over oftentimes they'll use rdp to be able to control the system open up rdp on the system once they open up rdp for those of you don't know rdp is remote desktop okay it's a protocol that allows the say help desk or some other tech support to be able to take control of the system and if the attacker can open that up okay then what will happen is that the attacker will always have access to your system through rdp right and so that's one of the things that this particular software tries to do it then goes ahead and you know once it gets inside and it's gone ahead and encrypted all the data it'll then go ahead and exfiltrate the data okay so exfiltrate means basically take it out right to move it from your machine to theirs of course is just making your copy of it and with that exfiltration they will also use that as leverage to get the ransom paid because they'll take out key and confidential information and they'll say if you don't pay us then are you not going to have your data but you're we're going to have your data and we're going to publish it on the dark web so you know it's it's bad news away right and so and the the strength of that argument from a company perspective is that companies who are very ransomware aware cyber security aware know that the best defense against ransomware is simply to have backups right to have have backups so that if your data gets encrypted and you don't have access to it you just restore the data but by them exfiltrating your data and they have copies of your data the backups yes are good but they still have your data and if there's confidential information in there that you don't want the world to know like intellectual property emails what have you PII personally identifiable information then it could be just as damaging for them to release the data even though you've recovered your data they have it too and they can release it and cause serious damage to your business okay and then so there's lots of unique indicators not unique features of this particular piece of software there's some good information on it on hackers rise we wrote an article on it and cisa.gov has a good article on this you're interested in a couple of other cyber security companies have done some good work on this but it's one of those pieces of software that every once in a while you go you know you don't have to admire the attacker to admire their work okay so you can go you can go wow this is somebody did a good job putting this together right and so somebody one time asked me like well don't don't you uh how do you feel about people who encrypt that you know businesses and tech ransoms i'm like oh well you know i'm really focused on how they did it and how to stop them i don't get involved in their particular ethics right i my job is to understand how they did it and then also how i can stop it so in this case they've done some they've done some hospitals and others that you know you have to question about whether not that's you know the the particular ethics of that but for me i'm focused on how they did it when i look at how they did it i'm i'm really kind of fascinated by what these guys did and as such i think that your viewers and listeners should be very aware of this as a significant threat to their organizations right and so one you have to be aware most of it's being propagated through social engineering so that's one of the things you have to guard against but of course also you have to make sure that you have timely backups so you can store your data if you need to but remember in this case they exfiltrate your data and they're encrypting it on the way out the door so your ids or other endpoint detection system may not see it because it's all encrypted right yeah yeah and so anyway it's got a lot of really interesting features right and rdp is is one of those interesting features we've seen that before and other ransomware it also uses um something called mimikatz mimikatz is a is a tool that some of you who've seen it around it's it's built into metasploit it's available for for download and it's a tool that basically extracts credentials out of ram okay it extracts credentials out of a running system out of the ram all right and once you have compromised the system it can go in and get the credentials for you yeah and we've done on a number of chinese malware also the chinese have been using mimikatz as well of course that's a have a commonly used tool in in both power in pen testing and hacking in general and then of course they finally come up with a ransomware note right and gives them the user 48 hours okay to be able to respond and if you don't respond and pay they increase the ransom by ten thousand dollars a day so they have a countdown time just keeps on getting higher and higher and even putting you ultimatum that if you are not paying you will not pay in few days they will leak the data or sell the data exactly out in yorkland this is one of the things that we have to think about in general what we've done with ransomware is we've said okay let's just keep a good backup right which is just good practice right but in this case here if they exfiltrate the data then even if you restore your own system they still have your data yeah and sometimes there can be real damaging to an organization and it can be damaging to the reputation of the organization one of the things that companies hate is to be in the news for being hacked right and if you're if you are trusting your data your company to a particular company and they get hacked it makes you think twice about what you want to continue to do business with them right because you want to use their software their machines their gateways their bpns and so this can be really damaging to the business of these software companies so okay by the way but i have a few a few questions one i know that medusa has been known to use like double extortion can you explain what that means for the victims well basically it's what we're talking about right and so that there's there's two extortions one of them is you pay us to decrypt your data okay and one is that you pay us to not release your data and so that's what that's the double extortion we've been seeing more of that in recent years the early ransomware you didn't see that and now most the attackers are trying to do double extortion because they've learned that if the target has good backup they're not going to pay the ransom right they'll just store the data in this case they have double extortion so if you don't pay it good you got your own data you restored it but we still have your data too that means that we will release it and we will embarrass you and we'll release confidential information that might be in your emails in your database what have you what do you think may you know we spoke how it's propagated or delivered you know from phishing or different vulnerabilities of course that the attackers can exploit what makes medusa in your view different from other major ransomware families like lock beat or counting in the past are evil the reason has really come on to my radar is because this being used against industrial control systems that's one of the things that we do at hackers arises that we have one of our focuses is on foci is on that is on industrial systems because industrial systems very few people recognize that industrial systems run our entire world right everything that is built and made in our industrial society whether it be automobiles whether it be oil refinery the power generation power transmission pharmaceuticals all that stuff is controlled by industrial control systems which are made up of hundreds of programmable logic controllers and just little computers all right that control all of the motion all of the mixing all of the sensors all of the switches and so these systems are particularly vulnerable i think okay i think we can make a good case that they're particularly vulnerable because they because they haven't really been a target for attackers because they're different than your typical tcp it based system and they use different protocols they use different programming okay some of them have been around for a long long time oftentimes you'll see a lot of default credentials being used in this industry matter of fact i just saw one just the other day yeah a company that default credentials still on their system and if i wanted to i could have just shut the whole company down right and and that's not unusual that's and and so anyways this is this is why i'm particularly concerned about medusa medusa is is ransomware as a service which is concerning right because that means you have more actors using a sophisticated piece of software generally sophisticated software is only used by sophisticated actors here you have a sophisticated software being used by less sophisticated actors some of them who just have a hundred dollars or thousand dollars they can buy and then they can use that to do a social engineering campaign to hundreds of companies i guess in this case here medusa has been successful in over 300 companies that we know right and you know when we're talking about ransoms that are in the millions of dollars 300 companies is significant yeah and and if these guys are sending out emails with attachments and links all it takes is one person in your organization and you put your whole company could be down right one of the things that makes is different also about industrial systems is that generally when we talk about most of our computer systems we're trying to protect data so whether it be a database or emails what have you all that we're protecting the data in industrial systems we're protecting the process the process so whether and not they get the data or not if they lock up the data the process is broken right the process is broken yeah and in some cases processes take days and weeks to restart they don't just flip a switch right we know that for instance oil refineries only shut down once a year for maintenance right that's why do they do that because it takes so long to be able to reset the system and get it all set up and running again so ransomware in that type of environment could be really damaging because it'll cause the plant to shut down right it's not just you don't just flip a switch to turn it back down and these guys are targeting a lot of these types of facilities and have been successful you know one of the things that you know we don't think about also is that a lot of hospitals are run by these plcs as well the hospitals and this is what they've hit so the hospitals have security systems they have they have locks on their doors these are all run by tlcs these are industrial systems and so when they can get inside these systems they can do significant damage to a hospital system and hospitals in particular are very vulnerable one because they have an urgency of mission right they have to have their data people die right and so you know unlike maybe some other organizations that can tell i couldn't i could be down for a week and and be okay yeah the hospital can't do that right it has to be running otherwise people die and so they're very vulnerable to paying these great steps yeah so we've seen we've seen a lot of that we've seen a lot of this medusa going into hospitals and encrypting your data and getting paid well to do so definitely we see more and more you know besides government indeed the health care industry that is being attacked either by ransomware or by ddos attacks also and gain a lot of visibility on that us we might remember that there was a problem a few years ago like three or four years ago the colonial pipeline yes yes well that was a major gas pipeline between the south of mexico and up to the northeast the population and centers northeast the united states and they got hit with ransomware back then and they were down for a significant period of time and what happened is there ended up being major gasoline shortages in in some major cities in the u.s so that's the way that this was just a pipeline company so they got hit with ransomware as a matter of fact they did pay five million dollars but the fbi was able to recover side that right and this raises you know one of the important points that i want to make here is that it is possible it is possible to recover cryptocurrencies and a lot of people think that it's right anonymous but it can be done it's just expensive and time consuming right it's expensive and time consuming but it can be done we we had a class a couple years ago on how to trace cryptocurrencies this is something by the way that many of the the viewers are asking so maybe it's a good topic to to do a video about okay yes let's put it let's put it on our agenda put it on the list a good ransomware okay a cyber criminal is going to send that that ransom through multiple wallets and mixers along the way and that's what makes it more difficult can be traced makes it more difficult like for instance you may have seen seen the five bit attack yeah and that was a north apparently a north korean state sponsored one and a half billion dollars they stole of cryptocurrency from i think it was a dubai based um exchange and as you trace it you can see where the crypto is going through but if they broke it into so many pieces sent it through so many walls so many mixers that it becomes really difficult difficult to to trace but it can be done and this is where there are automated tools that can do this right but you can do manually this is very time consuming luckily for the clients this buy bit exchange and the backup enough backup to to pay everyone back right it didn't collapse billion apparently they have a lot of money if they they could pay they could pay a one and a half billion dollars somebody is making some money over there definitely it's a it's a big business so otw thanks for working astrof our ransomware works and what sets metusa apart i think it's been really insightful to to understand how this train goes beyond just encrypting file especially its focus on industrial systems as as you spoke about and the double extortion tactics and so i appreciate you breaking it down in a way that anyone can follow and for those of you that like our content together we are planning more videos more on the hacking ip cameras maybe we'll do something on the cryptocurrency we have so many topics to do together so keep watching follow occupy the web community knacker arrays everything here is books and all of the links are in the description and on screen as we we spoke throughout the video thanks again so much otw and i hope to speak to you very soon thanks johnny let's get together soon and do a few more videos together thank you very much and everyone thank you so much hope you love the video and see you in the next one
2025-04-19 13:11
