Medusa Ransomware Group Commits OPSEC Failure
Thie breach revealed the email address associated with the group as well as data stolen from numerous victims.
Alan J July 31, 2024
Share on LinkedInShare on Twitter
Researchers uncovered a critical operational security (OPSEC) failure by the Medusa Ransomware Group, allowing them to access the group’s cloud storage, revealing a trove of exfiltrated data from various victims.
The incident came to light during a ransomware response operation. Investigators found that Medusa had used Rclone, a popular data transfer tool, to move stolen information to their cloud account. Unlike many ransomware groups that prefer mega.nz or mega.io, Medusa opted for put.io as their storage platform.
Medusa Ransomware OPSEC Failure
The MEDUSA ransomware group had first come to the attention of security researchers in June 2021 after targeting several countries across different industries, including healthcare, education, manufacturing, and retail.
Exposed Rclone locations used by Medusa Ransomware (Source: darkatlas.io)
The threat actors’ mistake was leaving behind a configuration file after dropping rclone.exe in the C:WindowsAppCompat directory. This file contained the put.io token, which typically requires additional credentials for full access. Rclone which provides support for the integration with over 70 cloud providers, seeing increased usage among ransomware groups.
However, the Dark Atlas Squad discovered they could authenticate using only this token. By employing Burp Suite to replace their own token with Medusa’s, they gained complete access to the group’s cloud repositories.
This breach revealed the email address associated with Medusa’s account: . More importantly, it exposed data stolen from numerous victims, including the Kansas City Area Transportation Authority.
Recovery and Prevention
Acting swiftly, the team developed a Python script to automate the recovery of stolen data. They created zip files and downloaded them, racing against time to complete the task before Medusa could detect the intrusion.
The researchers then began deleting sensitive files belonging to victims and reached out to as many affected parties as possible to assist with recovery.
To help prevent future incidents, the security research team created a Sigma rule designed to detect DNS queries related to put.io within networks. This rule, while potentially generating false positives from legitimate put.io usage, serves as a valuable tool for identifying suspicious activity.
As ransomware groups continue to evolve their tactics, this incident potential for turning attackers’ mistakes into opportunities for defense and recovery.
Earlier in June 2024, the ransomware group demanded bounties of US $120,000 from Fitzgerald, DePietro & Wojnas CPAs, P.C and $100,000 from Tri-City College Prep High School to prevent publicizing stolen data from these institutions.