In the latest series of cyber attacks, the notorious MEDUSA ransomware group has targeted two prominent companies and is now demanding hefty ransoms for the release of encrypted data. The victims of these attacks are Karam Chand Thapar & Bros. (Coal Sales) Ltd, based in India, and Windak Group. This development adds to the growing threat of the MEDUSA ransomware group, as they continue to add victims to their dark web portal.
The attacks on Karam Chand Thapar & Bros. and Windak Group were listed on the MEDUSA ransomware group’s dark web portal, where they regularly share updates of their latest victims. This has become a common practice for the group in recent weeks, as they have targeted numerous companies with their ransomware attacks. The addition of these two companies to the list is further evidence of the expanding reach and impact of the MEDUSA ransomware group.
Windak Group, a cable packaging equipment manufacturer based in Sweden, has been targeted with a ransom amount of $100,000. The threat actors have given a deadline of 9 days, 23 hours, 20 minutes, and 3 seconds for the payment. Meanwhile, Karam Chand Thapar & Bros., a flagship company of the KCT Group in India, has been targeted with a ransom of $200,000. The deadline for payment in this case is 9 days, 22 hours, 57 minutes, and 50 seconds.
Efforts to verify these claims have been initiated by The Cyber Express, a cybersecurity news outlet. They have reached out to both companies for official responses but have not received any at the time of writing. The victim websites of the targeted companies also appear to be operational, with no visible signs of the cyber attack on their front end, adding uncertainty to the situation.
This pattern of cyber attacks follows a similar approach used by the MEDUSA ransomware group in previous incidents. The group typically announces their victims on their dark web portal, a method they have repeatedly used to assert their claims. The MEDUSA ransomware group has established this modus operandi, making it a go-to tactic for their cyber attack claims.
The MEDUSA ransomware group, known for its MedusaLocker Ransomware, emerged in September 2019 and primarily targets Windows machines through spam campaigns. The ransomware exhibits unique behavior by booting up in safe mode before encryption, using BAT files and PowerShell depending on the variant. The latest variant alters the Bootmgr extension, resulting in an error during boot-up.
Operating under a ransomware-as-a-service (RaaS) business model, the Medusa ransomware group focuses primarily on healthcare, education, and enterprises handling substantial volumes of personal information. They employ a double extortion tactic, stealing victim data before encryption and threatening its sale or public release if the ransom is not paid. The group exploits vulnerable Remote Desktop Protocols (RDP) and employs deceptive phishing campaigns for initial access. Once inside a system, they use PowerShell for command execution and systematically erase shadow copy backups to hinder data restoration.
It is crucial for companies and individuals to remain vigilant and take necessary cybersecurity measures to protect against such attacks. The growing threat of ransomware groups like MEDUSA highlights the need for robust security protocols and regular cybersecurity assessments to identify and mitigate vulnerabilities.