Blog | wind23.nl

Medusa: Looking Here Won’t Turn You Into Stone

About Medusa

Medusa is a type of ransomware that has recently seen an exponential increase in the number of infections of businesses, schools, and other institutions. This strain of Medusa ransomware should not be confused with the MedusaLocker Ransomware-as-a-Service strain. The following blog post is all I have found in my investigation thus far. If you want to learn how the ransomware works at a system level and which processes it executes, I would recommend this Deep Dive from SecurityScorecard.

The Onion Site

All organisations whose data has been successfully exfiltrated by the Medusa ransomware operators are posted onto a site accessible via the Tor Browser. This post is typically published within a week of the ransom note initially appearing on an organisation’s systems. This onion site was easily found thanks to a site called darkfeed.io, a threat intelligence website.

Screenshot of the Medusa Blog onion site, as of 13th April 2023
Screenshot of the Medusa Blog onion site, as of 13th April 2023

The onion site shows a list of Medusa’s victims (in chronological order of attacks – most recent first) which either shows the ransom for the deletion/recovery of the exfiltrated data and a countdown to the time it will be published, or if enough time has passed, the victim’s data will be marked as ‘PUBLISHED‘.

Top half of a victim page, showing where a countdown, name, description & logo would appear
Top half of a victim page, showing where a countdown, name, description & logo would appear

On each victim site, there is a short description of the victim organisation. In addition to this, a carousel of images showing samples of the stolen data is available. At the bottom of the page, a filetree outlining each file and directory present in the stolen data can also be found. Nearer the top of the page, there are three options present for the viewer – add 1 day to the countdown, delete the data, or download the data. The payment amounts for each option appear to differ depending on the organisation attacked.

Bottom half of a victim page, showing where sample data & a filetree would appear
Bottom half of a victim page, showing where sample data & a filetree would appear

Moreover, at the top of the site, there are two links – one to a Twitter search for ‘medusa ransomware’, and the other links to a Telegram channel which announces every leak.

Telegram

For the uninitiated, Telegram is an encrypted messaging platform and is notable for its privacy-focused features.

The Channel

As previously mentioned, the onion site links to a Telegram channel called ‘information support‘ which at the time of writing has 2,247 subscribers. This Telegram channel announces leaks, and when the countdown is over, it is also where torrent files – which allow a user to download a victim’s data – are published. These torrents can range in size from a few to many hundreds of gigabytes. The attackers also upload the data in the form of .rar files – these .rar files are often split up into parts, due to their large size. These parts when extracted together result in the whole .rar file being available, and thus, allows the data to be accessed, when used with the archive password on osintcorp.uk.

(It should be noted that .RAR is a file for data compression.)

Screenshot of the 'information support' Telegram channel, as of 13th April 2023
Screenshot of the ‘information support’ Telegram channel, as of 13th April 2023

The Chat

This channel also links to a group called ‘Osintcorp chat‘ which at the time of writing has 1,645 members. All posts on the channel are also automatically posted on this chat – in addition, there is some chatter about the leaks and other unrelated topics, however this reveals nothing new about the operation. This chat appears to be owned/moderated by an account with the username of ‘Inf_sup_admin’ who goes by Richard Revins – this is likely to be an alias.

Screenshot of the 'Osintcorp chat' Telegram chat, as of 13th April 2023 - all messages and users redacted
Screenshot of the ‘Osintcorp chat’ Telegram chat, as of 13th April 2023 – all messages and users redacted

Furthermore, another person by the name of Robert appears to post all the messages on the Telegram channel, which does beg the question – could Richard & Robert in fact be the same person?

Osintcorp

The Osintcorp chat also has links with each published leak to a website with the domain of ‘osintcorp.uk‘. This website appears to be a tech-blog, however this is merely a façade. This, in fact, is the website that hosts all the data that the attackers have published. In addition to hosting all the stolen data, the website also has articles on a number of victims including a description of them, and a video showing the attackers going through various files in the stolen data – these videos often reach a duration of between 40 minutes and an hour.

Screenshot of osintcorp.uk, as of 13th April 2023
Screenshot of osintcorp.uk, as of 13th April 2023

WordPress

After some digging, it was quickly established that this website (like the blog you’re reading!) runs on a software called WordPress – a very common tool for building websites, especially blogs.

WordPress has a number of default directories that can easily be accessed – for example, /wp-admin leads you to the admin panel where you can create new posts or make changes to a site, or /wp-content/uploads which lists all the uploads (e.g. images) on a given site categorised into folders by year and subsequent month.

Origins of Medusa

These default directories allowed me to find a number of images which begin to paint a picture about the possible origin/nationality of the attackers. A number of images in osintcorp.uk’s /wp-content/uploads/2020 & /wp-content/uploads/2021 folders appear to originate from sources based in ex-Soviet countries (often Sputnik News).

However, this isn’t the only clue that gives away the possible origin of the attackers. At the bottom of the page, there is an RSS file that you can download – at the bottom of every article listed in this file, there is a Russian phrase ‘появились сначала на‘ (which translates to ‘first appeared on‘) followed by a link to osintcorp.uk.

Finally, there is one more clue about the attackers’ possible origin – if you enter an invalid URL into osintcorp.uk, you are redirected to a 404 page, whose title includes another Russian phrase ‘страница не найдена‘ (which translates to ‘page not found‘).

While all of these clues don’t provide definitive proof that the attackers are Russian, there is a good chance that this is the case.

Accounts in Higher Places

The website osintcorp.uk doesn’t just link to the eponymous Telegram chat, it also links to a Twitter and Facebook profile.

The Twitter profile with a username of ‘OSINT_with_bord‘ goes by the name of Robert Vroofdown. This Twitter account also makes a mention of published data in a similar manner to the Telegram channel.

Screenshot of the Twitter account, as of 13th April 2023 - don't be fooled though, the account is verified with Twitter Blue
Screenshot of the Twitter account, as of 13th April 2023 – don’t be fooled though, the account is verified with Twitter Blue

The Facebook account is near identical in this manner, however its name is Robert Enaber, rather than Vroofdown.

Screenshot of the Facebook account, as of 13th April 2023
Screenshot of the Facebook account, as of 13th April 2023

In addition to the Twitter & Facebook accounts, the owner of osintcorp.uk also appears to have an account on a forum called nulled.to, which is a popular forum with areas on hacking, making money and leaks – among other things.

Screenshot of the Nulled account, as of 13th April 2023
Screenshot of the Nulled account, as of 13th April 2023

All of the aforementioned accounts hold some similarities – for example, the profile picture. In addition to this, they all appear to be yet another form of publicity for the leaks.

Before this post was published, the owner of osintcorp.uk also had an account on BreachedForums (which was recently taken down due to FBI action) – the account name was ‘t0mas‘.

Furthermore, according to a KE-LA report, the owner of osintcorp.uk also was purported to have a RaidForums (a forum also shut down due to the efforts of law enforcement) account by the name of ‘1941Roki‘, and primarily offered databases of Russian & Ukrainian individuals.

The Vimeos

After further investigation of some of the older threads of the aforementioned Nulled account, one thread was of some interest in my investigation. Its title was simply “Omega Morgan”, a reference to the company whose data the owner of the Nulled account appeared to have access to (likely through a data breach/ransomware attack in a similar fashion to the victims of the Medusa ransomware).

Screenshot of InforMSupporT’s first Nulled thread, as of 22nd April 2023

This thread linked to a video uploaded to Vimeo titled “OMEGA MORAGAN INC Part1” uploaded by an account by the name of Гарри Давыдов (Garry Davydov in Latin).

Screenshot of the aforementioned Vimeo video, as of 22nd April 2023

After some research for one ‘Гарри Давыдов‘ on Russian social media (such as VKontakte or Odnoklassniki), it appeared to be the case that this account was merely an alias used by the attackers. However, having said that, after searching for any videos on Vimeo with the same title (‘OMEGA MORAGAN’), there was another match – this video with the exact same title was uploaded by another account with a Russian name only 6 hours earlier on the same day.

Screenshot of the video uploaded to Vimeo earlier, as of 22nd April 2023

It hasn’t been possible for me yet to properly research the uploader of this video Дмитрий Балин (Dmitriy Balin in Latin). However, due to the much lower views compared to the first video, it is a possibility that this is the real name of someone associated with the Medusa ransomware group (if so, likely the owner of osintcorp.uk).

But why re-upload the video to a different account and share that instead? Likely an opsec issue, if you ask me. All I can say is that at this point it’s almost guaranteed the Medusa ransomware group is from Russia, or another CIS country.

The IP

Due to the website being hosted on a CloudFlare shared hosting server, finding a dedicated IP for osintcorp.uk was a bit more difficult to find.

In the end, a simple Google dork for any page on Shodan matching the term “osintcorp.uk” was what resulted in a discovery. It would appear that osintcorp.uk’s IP address is 5.255.112.198, and it’s hosted by an ISP called LiteServer/The Infrastructure Group in the Netherlands. It would appear that LiteServer & The Infrastructure Group are genuine companies providing genuine hosting solutions, and are not simply fronts for a dark web bulletproof hosting service. Having said that, according to Scamalytics, the IPs for both osintcorp.uk & fresnot.uk have a worryingly high fraud score (namely 75/100) and that traffic from The Infrastructure Group B.V. is of high risk.

Another IP (5.255.98.242) – hosted by the same ISP – is also of interest to us, this IP hosts a website with the domain of ‘fresnot.uk’ which was registered in the same month as osintcorp.uk (namely, November 2022), and is hosting the .rar & torrent versions of some of Medusa’s most recent leaks.

In fact, remember that Telegram channel from earlier in this post? Well, fresnot.uk makes an appearance there as an option to download the data of the most recent leak. (I did check to see if ‘fresnot’ is a Russian word – it would appear not).

The Plot Thickens

Osintcorp.uk was first registered in November 2022, and continued to stay online until early May 2023 when Nominet – the .UK TLD registrar – suspended its domain registration (in addition to fresnot.uk). The Medusa ransomware gang swiftly started using another domain instead: osintcorp.net. This new domain has a homepage identical to osintcorp.uk, however the directory that contained the data for all of Medusa’s leaks (creatively named /data) appears to contain nothing.

This new domain is hosted on the IP 84.54.50.21 and is hosted by an ISP called Delis LLC/Des Capital B.V. (based in the Netherlands, like Liteserver). Like The Infrastructure Group, Scamalytics has labelled traffic from Delis LLC as high risk (with a risk score of 70/100).

The ransomware gang has also started to use another domain: big-4-data.com to replace the now-defunct fresnot.uk. The IP for this domain 185.252.179.50 is hosted by an ISP called Sukhoi SU-57 LLC.

Analysing the upstream providers for both ISPs, it is likely that the attackers are using a hosting company called Serverion to host their servers who are known for hosting servers for other criminal activities.

Useful Links

Tor Browserhttps://torproject.org

Darkfeed.iohttps://darkfeed.io/ransomgroups

Medusa .onion site – medusaxko7jxtrojdkxo66j7ck4q5tgktf7uqsqyfry4ebnxlcbkccyd.onion (copy & open in Tor Browser, check your security settings first)

‘information support’ Telegram channelhttps://t.me/+yXOcSjVjI9tjM2E0

‘Osintcorp chat’ Telegram chathttps://t.me/Osintcorp_chat

Twitter accounthttps://twitter.com/OSINT_with_bord

Facebook accounthttps://www.facebook.com/OSINTwithoutborder

Nulled account https://www.nulled.to/user/2462661-informsupport

osintcorp.uk – https://osintcorp.uk (would recommend visiting this site with Tor Browser, copy & open there)

osintcorp.net – https://osintcorp.net (same guidance as above)

fresnot.uk – https://fresnot.uk (same guidance as link above)

big-4-data.com – https://big-4-data.com (same guidance as links above)

/wp-content/uploads/2020 – https://osintcorp.uk/wp-content/uploads/2020 (same guidance as links above)

/wp-content/uploads/2021 – https://osintcorp.uk/wp-content/uploads/2021 (same guidance as both links above)

KE-LA reporthttps://ke-la.com/wp-content/uploads/2023/04/KELA_Research_Q1-2023_ransomware-and-network-access-sales.pdf

Shodan (osintcorp.uk) https://shodan.io/host/5.255.112.198

Shodan (fresnot.uk) https://www.shodan.io/host/5.255.98.242

Censys (osintcorp.net) https://search.censys.io/search?resource=hosts&sort=RELEVANCE&per_page=25&virtual_hosts=EXCLUDE&q=osintcorp.net

Censys (big-4-data.com) https://search.censys.io/hosts/185.252.179.50?resource=hosts&sort=RELEVANCE&per_page=25&virtual_hosts=EXCLUDE&q=big-4-data.com&at_time=2023-05-28T08:56:31.04Z

Vimeo/Гарри Давыдовhttps://vimeo.com/user188847478

First OMEGA MORAGAN videohttps://vimeo.com/770911850

Vimeo/Дмитрий Балинhttps://vimeo.com/user188807012

Second OMEGA MORAGAN videohttps://vimeo.com/770781341

My Bloghttps://wind23.nl/blog

Notes

  • The attackers do have a Bitcoin address which is shown when clicking on an option on a victim page on the onion site (namely, it is bc1qfjuwdfq90ld77v47093yuzt344807uzk7h3qpu) – at the time of writing, no ransom payment has been received by this address.
  • The attackers have two Tox IDs – one presented on the website as a method of ransom negotiation for victims (4AE245548F2A225882951FB14E9BF87EE01A0C10AE159B99D1EA62620D91A372205227254A9F) & one presented on the Telegram channel for general communication with the attackers (AA6AB832B08EC0D271BD5EE9A086B0549BC54DCA5EB1F21BF372B2879B71F024FBFBF16C0710). As Tox is a peer-to-peer messenger, both a prospective sender and the operator of the ID have to be online at the same time for messages to be successfully sent & received.
  • An email by the name of ‘osintcorp.uk@gmail.com’ has been appearing in comments on several posts on osintcorp.uk by the owner, the linked recovery email is myq*********@protonmail.ch – nothing more
  • According to Shodan, the primary system language for the server running fresnot.uk is Russian (ru-RU) – again, could the attackers be Russian?

The End

Thanks for reading this post on my findings around the Medusa ransomware group – this is by no means finished (as I’m sure I have probably forgotten to add something), but I shall continue to update this post with any new findings I make. If you know anything more about the Medusa ransomware group than what is in this post, please let me know in the comments below or email max@wind23.nl!

Last Updated on May 28, 2023 by admin

admin

, , ,

Leave a Reply

Your email address will not be published. Required fields are marked *