Medusa Ransomware Continues Attacks on US School Districts



The SonicWall Capture Labs threat research team has been tracking ransomware that has gained recent notoriety known as Medusa. Medusa surfaced as a Ransomware-as-a-Service (RaaS) platform in late 2022. The group behind Medusa predominantly propagates this malware through unpatched vulnerabilities and directs their attacks on various industry sectors such as technology, education, manufacturing, healthcare and retail. Most attacks have occurred in the United States, but other countries such as the U.K., France, Italy, Spain and India have been affected by this ransomware over the last year. The copy of Medusa we obtained was aimed at the Glendale Unified School District in California. It is reported that the attackers demanded $1M in Bitcoin for file retrieval and deletion of exfiltrated student data. Glendale is not the only school district to be targeted. Hinsdale School District in New Hampshire, and the Campbell County Schools in Kentucky are also reported to have been recently hit by Medusa ransomware.

Infection Cycle

As is typical with ransomware, files are immediately encrypted at runtime. They are marked with a .MEDUSA file extension. During encryption, a file named READ_ME_MEDUSA!!!.txt is dropped into the corresponding directories:

READ_ME_MEDUSA!!!.txt contains the following message:

We tried accessing the tOr link using tOr browser, but the site was not fully functional:

Running the malware normally yields no text output.  However, running it within our reverse engineering analysis engine allowed us to view its internal PowerShell script running in real-time as it performed various malicious operations:

Spying on API calls used by the malware during its operation allows us to inspect its behavior in real-time. There are 44 applications that it attempts to kill if running:

There are 184 services that it tries to stop. These include various antivirus services, databases, backup services, email servers etc.

It also stops shadow copies, using the vssadmin application:

We tried reaching out to the Proton Mail email address provided, but it was no longer active:

SonicWall Protections

SonicWall Capture Labs provides protection against this threat via the following signature:

  • GAV: Medusa.RSM_4(Trojan)

This threat is also detected by SonicWall Capture ATP w/RTDMI and the Capture Client endpoint solutions.

Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.